IT’S  TIME 

ENEW! 

We  are  entering  a  new  audit  year  beginning  June  1st 
and  that  means  that  we  need  to  ask  you  to  verify 
again,  that  you  wish  to  continue  to  receive  CSO  free 
of  charge  for  the  upcoming  year. 


Take  a  few  minutes  right  now,  and  renew  online  at: 

http://csoonline.com/renew/604 

Renew  today  and  you  can  avoid  receiving  more  of 
these  renewal  requests  and  be  certain  that  your 
subscription  to  CSO  will  continue  uninterrupted. 

'<  #  J  '  -’V'  ■ 

■  1  - f *'%  '  ,  ' 

**  .  .  -V  ft  ,  )  r'  ‘ 

■:  •  :  .  •  '  ;  ■  ::  .  :  '  .  ,  ■  .. 


■  i 


. 


- 'v 

■ 

i  i  8  -  S  i  8| 


□  Bill  my  credit  card  □  MC 


Expiration  date 


CIN370 


CSOCOMPAS1'  AWARDS  Our  direction  -  »ettm*  honoree*  profllod 


TAKE  A 


Bob Haycc  til  \v.  .•  ftt'e mapof  ttwlutuie  *:-.t «ttc 
I.v , Jpi-I  Hju*siv 

aurts>trih;»S;tjft’-xicnifm»afidatirt’.vf 


POSTAGE  WILL  BE  PAID  BY  ADDRESSEE 


cso 

ATTN:  CIRCULATION  DEPARTMENT 
PO  BOX  9014 

FRAMINGHAM  MA  01701-9836 


1 1 1 1 1 1 1 1 


in 


PAGE  30 


1 

i 

l 


!  EXCLUSIVE  CSO  Survey  shows  signs  of  your  progress  and  growing  influence 


HANDLE  WITH  CARE 

If  you  don’t  learn  to 
balance  computer 
security  with  computer 
usability,  you  may 
end  up  with  neither. 
PAGE  53 


KEEP  IT  CLEAN 

How  does  your  company 
rate  when  it  comes  to 
corporate  ethics? 

PAGE  58 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


BUILDING  THE 
FUTURE  CSO 


SPECIAL  ISSUE 


SPf 


iccei 


U  3 


nmg 
ition 

best  practice  how-to’s 

COVERAGE  BEGINS  ON  PAGE  26 


Kenneth 
Schaeffler, 

VP  for  Comerica’s 
corporate 
information 
security  services  j 
- \ 


June  2004  $9.00 
www.csoonline.corh 


- r 


Symantec  and  the  Symantec  logo  are  U.S.  registered  trademarks  of  Symantec  Corporation.  Symantec  Client  Security  is  a  trademark  of  Symantec  Corporation.  ©2004  Symantec  Corporation  All  rights  reserved. 


Now  your  network  security  works 
wherever  your  people  do. 


Whenever  your  people  access  your  network 
remotely,  they  open  the  door  to  dangerous  threats 
that  could  jeopardize  your  entire  enterprise. 
Symantec™  Client  Security  provides  network-level 
protection  for  remote  users  by  integrating  the 
critical  security  tools— antivirus,  firewall  and 
intrusion  detection— into  a  single  comprehensive 
solution.  It  automatically  determines  what  security 
profile  a  remote  device  requires  and  seamlessly 
implements  it  wherever  that  device  is.  So 
even  though  your  people  are  on  the  road,  as 
far  as  hackers  and  viruses  are  concerned  they 
never  left  the  building.  To  learn  more,  download 
our  free  white  paper,  “Improving  Protection  and 
Security  Management  Through  Client  Security,”  at 
http://ses.symantec.com/SCSV2  or  call  800  745  6054. 


Symantec 


MB* 


June  2 

VOL. 3,  NO 


COLUMNS 

22  On  the  Road  to  CSO 

SECURITY  COUNSEL  Joyce  Brocaglia,  a  founder  and 
CEO  of  Alta  Associates,  an  infosec  recruiting  company, 
answers  readers’  questions  about  CSO  careers. 

24  Open  Secrets 

FLASHPOINT  Can  you  still  claim  your  trade  secrets  were 
stolen  if  your  security  was  sloppy?  By  William  Cook 

58  Keeping  Your  Business  Clean 

CSO  UNDERCOVER  A  quiz  to  test  the  ethical  health  and 
well-being  of  your  business. 


Coverage  begins  on  Page  26^  (^) 

30  Miles  to  Go 

Our  exclusive  “State  of  the  CSO”  survey  finds  that  this  emerging 
profession  has  taken  two  steps  forward,  one  step  back. 

By  Sarah  D.  Scalet 

34  Natural  Selection 

Survival  of  the  fittest  may  work  in  the  animal  kingdom,  but 
grooming  the  next  generation  of  CSOs  requires  a  substantial 
investment  of  time,  a  sincere  interest  in  employee  development 
and  a  dash  of  humility.  Are  you  ready  for  succession  planning? 
By  Daintry  Daffy 

40  Feather  Your  Nest 

While  certifications  are  great,  they  won’t  get  you  into  the 
boardroom.  But  one-stop  shopping  for  a  security  education  isn’t 
there  yet.  It’s  up  to  CSOs  to  help  change  all  that. 

By  Kathleen  S.  Carr 

44  Howto... 

Build  abetter  business  case;  Change  people’s  minds;  Keep  tabs 
on  technology;  Market  the  security  group;  Talk  to  the  board; 
Serve  multiple  masters. 


DEPARTMENTS 

13  Briefing 

Peep  show;  Certifiable  software;  Another  long,  hot 
summer;  Professional  phishing  on  the  rise;  Unarmed 
and  dangerous. 

20  Wonk 

In  the  clear:  Companies  that  want  to  work  with  the 
government  will  need  security  clearance  to  do  it.  Easier 
said  than  done.  By  Julie  Hanson 

53  Machine  Shop 

Keep  it  simple:  If  you  don’t  balance  computer  security 
with  computer  usability,  you  may 
end  up  with  neither. 

By  Simson  Garjinkel 
TOOLBOX  IM  security  products. 

64  Debriefing 

The  Alarmist. 


Cover  photo  by 
Rachel  Holland 


N  EVERY  ISSUE  4  CSOonline.com  6  Letter  from  the  Editor  10  Letters  62  Index 


2  www.csoonline.com  June  2004 


All  In  a 


■  '•  '•’•!<.' ■’>*  ■  \»*>  ;f*.  ,*•>■■:* ■  ’■  f-''‘  C  V.*'N'  .  V'  xFfsT> 

:'  t  w-Shm*  '».*•?<.'*•  a»&.  >  t 

i ■■"\  fi&'S'iftsY  ‘  *:V;A;  ■ 

- 

■;  .  ■'■■•  ..•:•■';«■  KuiU'i  iv’*  ■ 

::  #|te^ 

'■  •••  V-.  *:-h*  •.'*  •-••.*a. '  :«•  .••iAV’tk'  'j*  ■"* 

m 


Cashless  Vending 

11:53  AM 

It’s  make-your-own- 
taco  day,  and  your  card’s 
magnetic  stripe  works  with 
the  legacy  system  in  the 
cafeteria. 


Photo  ID 


7:42  AM 

Verily  your  identity  to  the 
parking  entrance  guard  by 
presenting  your  photo  ID  card 
with  the  company’s  hologram. 


Access  Control 

7:49  AM 

Open  the  door  to  your  facility 
with  HID’s  125  kHz  proximity, 
the  technology  that  opens 
thousands  of  doors  each  day! 

Logical  Access 

9:02  AM 

Use  your  contact  smart 
chip  module  to  log  on  to 
the  network  and  access  your 
PKI  applications. 


Biometrics 

2:02  PM 

Gain  access  to  high- 
security  areas  in  your 
building  using  your 
fingerprint,  handprint,  or 
iris  -  HID  can  store  your 
biometric  template  on 
your  card  using 
13.56  MHz  iCLASS 
contactless  smart  card 
technology! 

Time  & 
Attendance 

5:15  PM 

After  a  productive  day’s 
work,  clock  out  with  your 
card  —  time  to  relax! 


Proximity.  Multi-Technology  Cards.  iCLASS 

The  sort  of  sensible  ingenuity  you’d  expect  from  HID  - 
the  vSldwide  leader  in  access  control. 


iCLASS 


wwwy.  H I D  Corp .  com/work 


iy  ! 


©  2004  HID  Corporation.  All  rights  reserved. 


Smart.  Powerful.  Trusted. 


,/4*jV 


lit  IsLtjm 


-WILLIAM  BRUGGER,  CBCP,  CRP  EXECUTIVE  DIRECTOR,  RISK  STRATEGY 
AND  ENTERPRISE,  AT&T  WIRELESS,  FROM  “SHOULD  I.T.  BE  IN  CHARGE  OF  BUSI¬ 
NESS  CONTINUITY  PLANNING?”  WWW.CSOONLINE.COM/TALKBACK/032904.HTML 


Security  Counsel 

Our  expert  this  month  is  Fiona  Williams, 
a  partner  in  Deloitte  &  Touche’s  security 
services  practice.  She  will  answer  read¬ 
ers’  questions  about  SARBANES-OXLEY 
compliance.  Visit  Security  Counsel 
to  post  your  questions  online  and  to 
revisit  the  archive  of  past  experts,  which 
includes  a  previous  Q&A  with  Williams. 
Look  for  Williams’  responses  in  the 
August  2004  issue  of  CSO. 
www.csoonline.com/counsel 

Free  Newsletters 

CSO  newsletters  are  delivered  right  to 
your  inbox  for  free.  CSO  UPDATE  high¬ 
lights  CSOonline. corn’s  most  recent 
content.  CSO  CAREER  alerts  you  to  the 
latest  openings  in  our  job  database. 

CSO  SECURITY  LEADERSHIP  features 
articles  focused  on  management  issues 
facing  CSOs.  Subscribe  now. 
www.csoonline.com/newsletters 

Revamped 
Research  Centers 

CSO  magazine’s  Research  Centers 
provide  easy  access  to  IN-DEPTH 
EXAMINATIONS  of  important  security 
topics.  Our  editors  update  the  centers 
continuously  with  critical  articles,  white 
papers,  metrics,  events,  case  studies 
and  links  to  relevant  sources.  Topics 
include:  Security  Executive,  Leadership 
&  Business,  Information  Security, 
Corporate  &  Physical  Security,  Laws 
&  Compliance,  Business  Continuity  & 
Disaster  Recovery,  Risk  Measurement 
&  Analysis,  Privacy,  and  Fundamentals. 
Go  online  and  dig  deep. 
www.csoonline.com/research 


Daily  Dose  of  CSO 

MONDAY 

TALKBACK  Web  Editor  Sandy  Kendall 
raises  security  issues  that  warrant  your 
feedback.  Read  her  column  to  find  out  what's 
on  her  mind,  and  don’t  forget  to  tell  us  what 
you  think. 

TUESDAY 

SECURITY  CHECK  Quick  and  easy.  Vote  in 
our  weekly  security  poll,  or  check  the  results  of 
previous  polls  (see  below). 

WEDNESDAY 

ANALYST  REPORTS  We've  gathered 
research  and  analysis  from  the  leading 
security  experts  in  the  analyst  community  and 
put  it  all  in  one  place.  Visit  each  week  for  a  new 
report. 

THURSDAY 

METRICS  Get  the  security  numbers  you 
need.  Did  you  know  that  58  percent  of  compa¬ 
nies  spend  between  5  percent  and  10  percent 
of  their  IT  budgets  on  security?  Visit  each  week 
for  more  stats. 

FRIDAY 

POLITICS  &  POLICY  Read  our  weekly  recap 
of  action  on  the  Hill  and  legislative  activity 
extending  beyond  the  Beltway. 


SECURITY  CHECK 


Will  the  Internet  suffer  a  significant  outage 
caused  by  hackers  or  terrorists  this  year? 


58%  Yes 


42%  No 


SOURCE:  SECURITY  CHECK  ONLINE  POLL,  APRIL  27-MAY  3.  2004. 

TO  VOTE  IN  THIS  WEEK'S  POLL,  VISIT  WWW.CSOONLINE.COM/POU. 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


President  and  CEO  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Executive  Editor  Derek  Slater 
Managing  Editor  Elaine  M.  Cummings 
Managing  Editor,  Production  Cheryl  R.  Asselin 

Senior  Editors  Scott  Berinato,  Todd  Datz, 
Daintry  Duffy,  Sarah  D.  Scalet 

Research  Editor  Lorraine  Cosgrove  Ware 
Editor  at  Large  Simson  Garfinkel 
Asst.  Managing  Editor,  Production  Kathleen  S.  Carr 
Senior  Copy  Editor  Emily  S.  Henderson 
Copy  Editor  Cathy  Mallen 
Assoc.  Copy  Editor  Daniel  John  Robinson 
Special  Projects  Manager  Lynne  Z.  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 

Editorial  Assistants 
Daniel  J.  Horgan,  Albert  Sacco 

Editorial  Operations  Specialist  Julie  Hanson 
Research  Contributor  Sally  Chicotel 
Contributors 

William  Cook,  Paul  Roberts,  Thomas  Wailgum 

DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Associate  Art  Director  Chandra  Tallman 
Design  Operations  Specialist  Rachel  Barnett 

ONLINE  EDITORIAL 

Web  Editorial  Director  Art  Jahnke 
Consulting  Editor  Janice  Brand 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 

ONLINE  &  INFORMATION  SYSTEMS 

Chief  Information  Officer  Mark  Hall 

ONLINE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developers  Diane  Chen,  Ellen  Morey 
Director  of  Online  Research  Kathleen  Kotwica 
E-Commerce  Manager  Andrew  Burrell 
Online  Producer  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 
INFORMATION  SYSTEMS 
Infrastructure  Manager  James  C.  Burgoyne 
User  Services  Manager  Ron  Bettencourt 

Senior  User  Services  Specialists 
Michael  Fahlsing,  Jonathan  Frappier 

Systems  Administrator  Robert  Reagan 


Founder  Joseph  L.  Levy 

INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 
CEO  Pat  Kenealy 


©  CXO  Media  Inc. 


4  www.csoonline.com  June  2004 


PHOTO  BY  GETTY  IMAGES 


YOU  WERE  THERE  FDR  THE 

You’ve  made  it  through 

Now  IT’S  TIME  TO  HIRE. 

Someone  who  knows  IT 


boom  . 

THE  BUST. 

NSI  DE  AN  D  OUT. 


Sd  why  are  your  palms  sweating? 


Your  IT  budget  has  been  approved.  It's  time  to  hire  -  but  where  do  you  turn  to  find  the 
right  fit?  At  Robert  Half  Technology,  we  really  understand  IT.  Our  unsurpassed  knowledge 
of  the  technology  marketplace  allows  us  access  to  the  very  best  and  brightest  in  the 
industry.  And  well  meet  your  requirements  quickly  and  cost-effectively.  So  whether 
you're  looking  for  someone  to  help  manage  your  Q  &  A  in  application  rollouts,  upgrade  your 
operating  system,  or  even  secure  systems  that  prevent  viruses  -  relax.  Talk  to  us  today. 
You'll  get  the  right  person  for  the  job.  Guaranteed* 


ROBERT  HALF 

TECHNOLOGY’ 


Information  Technology  Professionals 


WE  GET  IT.  WE  SPEAK  IT.  WE  KNOW  IT. 

800.793.5533  .  roberthalftechnology.com 


A  Robert  Half  International  Company 


For  more  details  on  our  guarantee,  contact  us  today!  ©Robert  Half  Technology.  E0E 


;■  ,u 


In  a  Perfect  World... 


I  watch  the  zanily  apocalyptic  TV  serial,  C2J+.  I  endure  the 
cliffhanger  hooks  that  leave  us  viewers  twisting  at  the 
end  of  each  episode.  But  what  I  love  most  are  the  deeply 


disturbed  characters— President  David  Palmer’s  ex-wife,  Sherry,  who  would 
happily  sell  out  the  nation  for  a  few  more  ounces  of  power;  or  the  personality- 
disordered  counterterrorist  IT  wonk,  Chloe,  who  blinks  uncomprehendingly  at 
any  sign  of  human  feeling.  Then,  of  course,  there’s  the  star,  Jack  Bauer,  who  has 
steadily  gone  to  the  seventh  circle  of  hell  (murder,  torture,  degradation,  may¬ 
hem,  personal  loss,  bad  parenting,  drug  addiction)  over  the  show’s  three  sea¬ 
sons,  all  in  the  interest  of  national  security.  No  other  “hero”  on  mainstream 
television  is  so  completely  corrupted  by  his  job. 

But  one  of  the  weirdest  sidelights  of  24  is  the  implausibly  miraculous  way 
technology  always  performs.  It  doesn’t  matter  whether  it’s  the  good  guys 
decrypting  the  scrambled  voice  track  of  a  captured  cell  phone  conversation 
(captured  how?),  or  the  bad  guys  detecting  the  good  guys’  efforts  to  trace  a 
computer  connection  so  as  to  plot  its  location— the  technology  always  works 
just  about  perfectly.  I  call  this  the  selective  application  of  Murphy’s  Law. 
Because  everything  other  than  the  gizmos  and  software  goes  to  hell  in  a  hand- 
basket.  People  who,  presumably,  were  hired  (or  elected)  because  of  their  obvi¬ 
ous  brilliance  do  these  unspeakably  stupid  things.  We  can’t  even  begin  to 
explain  why  President  Palmer  invited  his  psychopath  ex-wife  back  to  the 
administration’s  inner  circle  to  “solve”  an  otherwise  manageable  problem, 
thereby  precipitating  a  predictably  grave  crisis.  But  if  you  give  Chloe  a  spare  30 
seconds,  she  can  assemble,  in  just  a  few  keystrokes,  the  entire  network  of  con¬ 
tacts  (addresses,  phone  numbers,  bios)  of  some  evil  purveyor  of  WMD. 


It  is  a  world  in  which  cell  phone  batteries  never  die, 
human  heat  signatures  are  read  by  PDAs  and  surveil¬ 
lance  satellites  can  count  the  hairs  on  a  housefly’s  legs. 
Ask  anyone  who  works  with  “real”  technology  if  he 
would  like  to  live  in  the  infrastructure  of  24.  The  only 
time  anything  breaks  is  because  it’s  been  sabotaged. 
And,  even  then,  a  few  minutes  of  heroic  ingenuity  (usu¬ 
ally  Chloe’s)  gets  it  up  and  running  again. 

My  computer  freezes  up  a  couple  times  a  day.  I 
finally  took  it  down  to  our  IS  group,  which  swapped  my 
hard  drive  into  a  new  computer.  They  said  it  might 
help.  “Sometimes  there’s  a  problem  with  the  OS,”  said 
Jon.  I  nodded.  It  was  completely  plausible.  I  am  wait¬ 
ing  for  the  nerds  of  24  to  tell  Jack  Bauer  that  they 
couldn’t  save  the  free  world  because  “there  are  issues 
with  the  OS.” 

A  few  days  ago,  some  crappy  little  worm  named 
Sasser  knocked  me  and  a  bunch  of  my  cohorts  out  of 
business  for  most  of  an  afternoon.  The  IS  team  worked 
heroically  to  get  us  all  uninfected.  They  had  to  go  from 
machine  to  machine  applying  a  patch,  and  it  took  them 
way  more  than  a  few  minutes.  In  scriptwriter  land, 
that’s  a  bit  too  unexciting  for  sweeps  month.  We  only 
hope  24  isn’t  driving  the  expectations  of  the  user  base. 
Because  it’s  not  in  the  nature  of  Murphy’s  Law  to  oper¬ 
ate  selectively. 

-Lew  McCreary 
mccreary  @  cxo.  com 


6  www.csoonline.com  June  2004 


PHOTO  BY  WEBB  CHAPPELL 


SfcTTlNG  NCW 
NCTWORK  SCCURlTV 
P RMlLeGC*?  FOR  9G0 
U$£RS?  THAT'LL  TAK£ 
D/W5...  U/££K5... 


0 

G 

o 

^  enterasys 

Networks  that  Know 


These  days,  no  network  is  free  of  threats.  That’s  why  you  have  to  assign  network  security  privileges  to  everyone. 
Employees,  customers,  and  partners.  You  need  to  set  an  acceptable  use  policy  that  dictates  what  each  of  them  can 
and  can’t  access.  Until  now,  you  had  to  do  this  manually. 

Not  anymore.  Now  you  can  do  what  Baylor  University  did.  Implement  an  Enterasys  Secure  Networks™  solution  with 
a  unique,  policy-based  system  that  empowers  the  network  to  allocate  resources  based  on  specific  users  and  their 
roles.  The  network  “sees”  who  the  user  is  and  assigns  privileges  accordingly.  This  improved  control  also  gives  you 
more  security. 

It’s  all  about  giving  you  a  smarter  way  to  network  with  central,  intuitive  management.  Find  out  more  by  visiting 
networksthatkiiow.com/Baylor.  Or  ask  any  one  of  the  many  enterprise  customers  we’ve  worked  with  for  years. 


■Mmi 


WOULDN’T  YOU  PREFER 


YOUR  BUSINESS  AHEAD  OF  THE  THREAT. 


4mS§gmt- 


The  only  effective  security  is  preemption.  This  preemptive  power  is  only  available  with  the  Proventia™  Security  Platform  from  Internet  Security  Systems. 
When  software  security  flaws  are  discovered,  Internet  Security  Systems’  world-renowned  research  team  updates  Proventia  to  immediately  shield  against  any 
attacks  targeting  weak  spots.  Regardless  of  the  size  of  your  business,  this  new  standard  in  Internet  security  can  help  keep  you  off  the  path  to  disaster  and 
reduce  your  total  cost  of  ownership  -  In  fact,  when  we  manage  Proventia  for  you,  we'll  even  guarantee  protection.  Need  proof?  Get  your  free  whitepaper, 
Preemptive  Protection:  Setting  a  New  Standard  in  Security,  at  www.iss.net/proof/whitepaper  or  call  800-776-2362. 


FIREWALL  I  ANTIVIRUS  I  INTRUSION  PREVENTION  I  WEB  FILTERING  I  MAIL  SECURITY  I  MANAGED  SERVICES  I  VULNERABILITY  ASSESSMENT 


THAT  KEEPS  YOU  OUT  OF  THE  ER? 


r  i\ l l ivi r  1 1  v l  oLoUhi  I  I  13  ntni 

i 

■ 

v.  y  j  /'  *•  .  ;  ‘  -•  ‘ 


p  Infrastructure  Uptime 


100% 


1SS  PROTECTION 


©Internet | Security  Systems® 

Ahead  of  the  threat. 


ISS  PREEMPTS  THE  THREAT.  OTHERS  REACT  TO  IT. 


csoletters@cxo.  com 


How  to  Reach  Us 


Safety  Matters 

Of  course,  we  all  want  to  feel  safe,  both  at 
home  and  in  the  workplace.  As  a  CSO  your 
employees  depend  on  you  to  create  a 
sense— and  the  reality— of  safety.  This  letter 
conveys  that  urgency. 

YOU  CAN  BE  A  PROUD  CXO  IF  YOU  CAN 

confidently  say  that,  in  the  event  of  a  crisis, 
your  employees  are  trained  and  ready  to  han¬ 
dle  it  (see  “Scare  Tactics,”  March  2004).  As 
this  article  so  clearly  explains,  you  can  never 
predict  human  behavior  in  the  face  of  a  sud¬ 
den  and  shocking  incident.  If  your  company 
doesn’t  have  Corporate  Emergency  Response 
Teams  (CERTs),  exercising  test  scenarios 
monthly  or  quarterly,  you  face  the  conse¬ 
quences  of  poor  operational  risk  manage¬ 
ment;  losses  that  could  have  been  prevented. 
We  are  amazed  at  how  many  executive  rows 
we  visit  that  still  don’t  have  an  AED  within 
arm’s  reach  in  the  event  of  a  heart  attack. 
Protecting  corporate  assets  first  begins  with 
common  sense  and  then  expands  exponen¬ 
tially  from  there. 

PETER  L.  HIGGINS 

Managing  Director 
lSecureAudit  LLC 

Keep  an  Eye  on  Yourself 

Your  identity.  It's  who  you  are.  And  it  can  be 
stolen.  Don’t  be  a  victim. 

IN  “FIVE  WAYS  TO  FIGHT  I.D.  THEFT,” 

March  2004,  rule  one,  “practice  good  data 
hygiene,”  touches  upon  human  nature,  and 
the  need  to  train  and  monitor  employees. 

It  concludes  with  a  rhetorical  question  of 
whether  or  not  this  “sounds  paranoid.” 

Having  worked  on  projects  that  involve 
unraveling  the  mysteries  of  how  private  or 
sensitive  data  has  leaked  out  of  a  company, 

I  have  come  to  the  conclusion  that  it  is 
safer  and  less  expensive  to  be  paranoid 

We  want  to  hear  from  you. 

To  respond  to  articles  you've  read  in  CSO,  write 
to  us  at  csoletters@cxo.com.  We  welcome  your 
criticism,  thoughts  and  suggestions. 


than  to  leave  security  to  chance. 

Employees  do  not  view  use  of  a  network 
in  terms  of  officially  sanctioned  services. 
Most  leakage  occurs  through  the  use  of 
e-mail,  instant  messaging,  encrypted 
attachments  and  posts. 

I  think  that  rule  one  should  be  amended 
to  read,  “block  what  you  can  and  employ 
packet  monitoring  using  an  intelligent  lin¬ 
guistic  analysis  engine  for  the  balance.” 


RICHARD  O’CONNELL 

CTO 

AMIC  Research 


Office  Space 


We  got  cheered  and  jeered  for  our  March 
2004,  “What’s  Wrong  with  this  Picture?" 
feature,  which  detailed  an  office  space  gone 
insecurely  awry.  Check  out  the  interactive 
feature  online  and  decide  for  yourself.  See 
www.csoonline.com/printlinks. 

MOST  OF  YOUR  SUGGESTIONS  ARE 

downright  laughable  and,  in  fact,  pre¬ 
vented  by  the  very  setups  that  we  work  in. 
The  vast  majority  of  us  do  not  have  offices 
that  we  can  lock;  some  of  the  password 
protocols  we  have  are  so  convoluted  that  it 
is  hard  to  even  create  an  acceptable  pass¬ 
word,  much  less  remember  it  without  writ¬ 
ing  it  down.  Meanwhile,  we  are  required  to 
access  our  payroll  statements  online,  which 
include  everything  from  Social  Security 
numbers  and  home  addresses  to  bank  rout- 


E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

phone:  866  354-1125 
fax:  847  564-9453 
e-mail:  cso@omeda.com 

REPRINTS 

For  article  reprints  (500  quantity  or  more),  contact 
Jackie  Day  at  RSiCopyright  at  651  582-3856 
or  e-mail  csoreprints@rsicopyright.com. 

ABOUT  IDG  International  Data  Group  (IDG),  the  lead¬ 
ing  global  provider  of  IT  media,  research,  confer¬ 
ences  and  events,  informs  more  people  about 
technology  than  any  other  company  in  the  world. 
Offering  the  widest  range  of  media  options,  IDG 
reaches  more  than  120  million  technology  buyers  in 
85  countries  representing  95  percent  of  worldwide 
IT  spending.  IDG  publishes  more  than  300  newspa¬ 
pers  and  magazines  in  85  countries,  led  by  the  Com- 
puterworld,  Infoworld,  Macworld,  Network  World,  PC 
World  and  CIO  global  product  lines.  IDG  offers  online 
users  the  largest  network  of  technology-specific  sites 
around  the  world  through  IDG.net  ( www.ldg.net ),  a 
gateway  to  IDG's  330  websites  powered  by  more 
than  2,000  journalists  reporting  from  every  continent 
in  the  world.  IDG  also  produces  168  technology- 
related  conferences  and  events,  and  research  com¬ 
pany  IDC  provides  global  market  intelligence, 
analysis  and  forecasts  in  43  countries. 


ing  numbers.  And  unless  we  print  them  at 
home,  we  must  print  them  where  anyone 
can  pick  them  up.  As  for  people  spying 
through  windows,  we  could  all  just  work  in 
secure,  underground  bunkers.  That  would 
solve  the  problem. 

SHANNON  IVERSON 

Fire  Mitigation  Specialist 
Bureau  of  Land  Management 

GREAT  ARTICLE.  THE  INTERACTIVE 

assessment  was  very  insightful.  I  made  sure 
others  in  my  company  were  sent  the  link  to 
see  just  how  security  conscious  they  were.  I 
can’t  wait  to  see  their  results. 

ROBERT  O.  LILJE,  CPP,  CISM 

Program  Manager 
MTC  Technologies 


10  www.csoonline.com  June  2004 


You  take  your 
company's 
infrastructure 
security  seriously. 

So  do  we. 


Security  is  a  primary  concern  for  all  of  us.  That's  why  we've  developed  an  array  of  new  tools  and  guidance, 
centralized  at  microsoft.com/security/IT.  It's  a  resource  you  can  turn  to  for  timely  news,  education,  and  tools, 
all  intended  to  help  you  better  plan  and  manage  the  security  strategy  that's  right  for  your  company. 


Take  advantage  of  the  latest  tools  and  training  at  microsoft.com/security/IT. 


Free  Security  Training 

Register  for  free  security  management  training, 
including  a  Security  Summit  in  a  city  near  you,  weekly 
security  Webcasts,  and  in-depth  e-learning  designed 
to  help  you  improve  your  security  infrastructure. 

Free  Tools  and  Updates 

Streamline  patch  management  with  free  tools 
such  as  Microsoft®  Software  Update  Services. 
Download  software  like  Microsoft  Baseline  Security 
Analyzer  to  verify  that  your  systems  are  configured 
to  maximize  security. 


Free  Emergency  Notifications 

Sign  up  to  stay  up-to-date  with  the  latest 
vulnerability  assessments,  mitigation  advice,  and 
patch  availability. 

Free  Security  Guidance  Kit 

Evaluate  detailed  guidance  and  templates, 
then  pre-order  your  free  CD-ROM  with  roadmaps 
and  how-to  guides.  Learn  how  measures  like 
automating  security  patch  installation  and 
blocking  unsafe  e-mail  attachments  can  help 
better  protect  your  organization. 


Go  to  microsoft.com/security/IT 


For  ongoing  guidance  to  help  better  plan  and  manage  your 
company's  IT  security,  go  to  microsoft.com/securitv/IT  today. 


O  2004  Microsoft  Corporation.  All  rights  reserved.  Microsoft  is  a  registered  trademark  of  Microsoft  Corporation  in  the  United  States  and/or 
other  countries.  The  names  of  actual  companies  and  products  mentioned  herein  may  be  the  trademarks  of  their  respective  owners. 


Microsoft 


IVKIMICC 

SECURITY 


focusing  on  what’s  attacking  my  servers 


i  want  to 


focusing  on  attacking  new  markets 


start 


Start  expanding  securely  with  Intrusion  Prevention  Solutions  from  McAfee  Security. 

•  V  ■  ,■  A\  . 

By  combining  System  Protection  and  Network  Protection  Solutions,  the  McAfee®  Security  Protection-in-Depth “  strategy  secures 
your  business  from  the  desktop,  to  the  network,  to  the  server — the  mission-critical  heart  of  your  IT  infrastructure.  Add  our  Intrusion 
Prevehtldp'i.technologies  and  you  can  start  preventing  known  and  unknown  threats  rather  than  merely  detecting  them.  Which 
means- you-fean  think  a  little  less  about  security,  and  more  about  securing  new  markets.  Start  today  at  start.mcafeesecurity.com 


Because  security  is  not  just  about  what  you  can  stop. 


tOO-in-Depth  are  registered  trademarks  or  trademarks  of  Network  Associates.  Inc.  and/or  its  affiliates  in  the  US  and/or  other  countries, 
remarks  herein  are  the  sole  property  of  their  respective  owners.  ©  2004  Networks  Associates  Technology,  Inc  All  Rights  Reserved 


Network  Associati 
All  other  registers 


Network  Associates 


Peep  Show 

PRIVACY  “Fair  warning— digital 
video,  picture  cell  phones  will  be  confiscated 
and  crushed  with  our  sledgehammer.” 

So  reads  a  sign  at  Bazooka’s  Showgirls 
in  Kansas  City,  Mo.,  which,  after  all,  is 
just  protecting  its. ..proprietary,  well, 
data.  Yes,  and  its  employees,  who  are 
often  nude  dancers.  An  Associated  Press 
story  in  February  quoted  Bazooka’s  owner 
saying  so  far  the  club  hadn’t  actually 
smashed  any  phones,  but  it  had  asked 
people  to  put  them  away. 

Cell  phone  camera  use  is  on  the  rise, 
according  to  several  industry  trackers.  The 
Consumer  Electronics  Association  says  that 
factory-to-dealer  sales  of  camera  phones 
totaled  6.3  million  units  last  year,  and  the 
number  is  expected  to  double  this  year  and 
triple  in  2005.  InfoTrends  Research  Group 
released  a  study  last  month  saying  ship¬ 
ments  of  camera  phones  will 
reach  150  million  units  this  year. 
Forbes.com  reports  that  Nokia 
expects  to  sell  140  million  cam¬ 
era  phones  in  2004. 

Not  surprising,  as  use  rises  so 
does  misuse.  A  prime  spot  for 
sneaky  photography  appears  to 
be  health  clubs,  where  people 
are  often  found  in  various  states 
of  undress  or  physical  duress. 

Some  clubs  have  policies  ban¬ 
ning  camera  phones  or  even  cell 
phones  from  the  gym  facilities. 

Legislation  is  pending  in 
Chicago  to  impose  a  $500  fine 
for  camera  phone  use  in  locker 
rooms,  rest  rooms,  showers  or 
lactation  rooms.  Colorado  has 
passed  a  bill  that  would  make  it 
a  crime  to  photograph  other 
people’s  “intimate  parts”  without 
their  consent. 

Several  CIOs  and  engineers 


News,  Stats 
and  Fast  Facts  Edited  by 
Kathleen  Carr  and  Daintry  Duffy 


CSO  SECURITY  CHECK 


Does  your  company  have  a 
succession  plan  in  place  for 
the  CSO  position? 


questioned  for  this  article  say  that  their 
companies  have  no  ban  on  cell  phones,  with 
or  without  cameras,  even  where  their  busi¬ 
ness  revolves  around  proprietary  data. 
Generally,  they  say,  people  are  not  allowed 
into  sensitive  areas  without  first  signing  a 
nondisclosure  agreement.  And  all  remark 
that  when  they  are  visiting  client  sites,  par¬ 
ticularly  secure  laboratories  or  classified 
facilities  run  by  the  government,  cell  phones 
and  cameras  of  all  types  are  banned. 

-Sandy  Kendall 


To  read  more  about  succession  planning, 
read  Senior  Editor  Daintry  Duffy’s  story, 
"Natural  Selection,”  on  Page  34.  To  par¬ 
ticipate  in  a  CSO  Security  Check  poll,  visit 
www.csoonline.com. 


CERTIFIABLE 

SOFTWARE 

CYBERSECURITY 

Software  products  don’t  typically 
come  with  a  Good  Housekeeping  Seal 
of  Approval,  but  they  will,  if  a  public- 
private  cybersecurity  task  force  has 
its  way. 

This  spring,  the  National  Cyber 
Security  Partnership  Task  Force  on 
Technical  Standards  and  Common  Cri¬ 
teria  published  recommendations  to 
reduce  software  security  vulnerabilities. 

A  guiding  ethos  of  the  group  was 
that  the  task  of  ensuring  product 
security  shouldn’t  fall  entirely  on  the 
shoulders  of  software  executives  and 
CSOs.  The  government  can  use  its 
purchasing  power  to  force  vendors  to 


build  better  products,  and  to  set 
industrywide  standards  for  security. 

The  recommendations  that  the 
task  force  put  forth  are  part  of  a 
larger  effort  to  secure  the  U.S.  criti¬ 
cal  information  infrastructure. 

Among  the  recommendations 
were  the  following: 

■  Technology  companies  should 
do  more  to  foster  secure  computer 
coding  practices  and  code  audits  that 
eliminate  software  vulnerabilities. 

■  Companies  should  ship  prod¬ 
ucts  with  “secure  by  default”  config¬ 
urations  and  adhere  to  common 
product  security  “profiles”  for  differ¬ 
ent  kinds  of  IT  products. 

■  The  federal  government  should 
invest  in  software  vulnerability 
assessment  technology  and  support 
standards  groups  like  the  National 


Institute  of  Standards  and  Technol¬ 
ogy  and  the  National  Information 
Assurance  Partnership. 

The  recommendations  are 
intended  to  guide  the  decisions  of 
software  developers,  purchasers  and 
end  users  by  making  them  more 
savvy  about  IT  security. 

In  fact,  task  force  leaders  believe 
that  the  government’s  renewed  focus 
on  making  common  criteria  certifica¬ 
tion  a  prerequisite  for  government 
procurement  has  already  produced 
dramatic  results  in  IT  security. 

“This  is  just  truth  in  advertising 
for  software,”  says  Mary  Ann  David¬ 
son,  CSO  at  Oracle  and  cochair¬ 
woman  of  the  task  force.  “Every 
vendor  says  its  product  is  secure.  We 
need  an  independent  entity  to  vet 
those  claims.”  -Paul  Roberts 


ILLUSTRATIONS  BY  PAUL  HOWALT 


June  2004  www.csoonline.com  13 


Another  Long,  Hot  Summer 


LAW  ENFORCEMENT  For  the  U.S. 
Park  Police,  summer  in  D.C.  just  got 
hotter.  Funding  shortages,  a  high-profile 
management  shake-up,  and  a  long  list  of 
election-year  commitments  are  stretch¬ 
ing  resources.  The  U.S.  Park  Police 
(USPP)  is  the  federal  force  responsible 
for  patrolling  the  National  Mall,  as  well 
as  the  Statue  of  Liberty  in  New  York  City 
and  the  Golden  Gate  Bridge  in  San 
Francisco.  And  while  the  USPP  is  used 
to  the  hot  and  sticky  capital  summers, 
events  are  shaping  up  to  make  the  sum¬ 
mer  of  2004  especially  uncomfortable. 

A  federally  funded  study,  released  in 
August  2001  by  the  independent 
National  Academy  of  Public  Administra¬ 
tion  (NAPA),  found  a  list  of  20  areas 
that  needed  improvement  in  the  force. 
However,  the  ink  was  barely  dry  on 
NAPA’s  recommendations  for  the  Park 
Police  when  the  terrorist  attacks  of  Sept. 
11,  2001  changed  the  landscape  in  which 
the  USPP  operated  and  complicated 


reform  efforts  at  the  force. 

An  updated  report  by  NAPA  released 
in  February  2004  found  that  the  USPP 
has  made  only  limited  progress  on  many 
of  its  previous  recommendations.  For 
example,  NAPA  suggested  the  USPP 
focus  its  energies  on  Washington,  D.C., 
and  the  surrounding  areas,  turning  over 
policing  duties  in  New  York  City  and 
San  Francisco  to  park  rangers.  But  the 
USPP  rejected  that  idea. 

In  addition  to  the  force’s  usual  duties 
in  Washington,  New  York  City  and  San 
Francisco,  USPP  officers  will  be  in 
Boston  in  July  to  help  provide  security 
for  the  Democratic  National  Convention. 
They  will  also  provide  security  for  the 
Republican  National  Convention  in  New 
York  City  in  September. 

With  administration  officials  predict¬ 
ing  that  terrorists  could  try  to  strike  prior 
to  the  fall  elections,  it’s  likely  that  the 
USPP  will  be  sweating  this  summer  out. 

-Paul  Roberts 


Top  10  Places  You 
Don’t  Want  to  Go  on 
Your  Next  Business  Trip 


With  the  caveat  that  it’s  impossible  to  predict 
terrorism,  iJet  Travel  Risk  Management  has 
released  its  updated  list  of  the  most  terrorism- 
prone  countries: 

COLOMBIA  Revolutionary  Armed  Forces  of 
Colombia  has  recently  expanded  its  targets  to 
include  urban  areas  and  civilians. 

INDONESIA  Terrorist  cells  located  here  have 
led  several  Western  governments  to  warn  against 
nonessential  travel. 


ISRAEL  Known  for  Palestinian  terrorist  groups 
and  suicide  bombers. 


“Sir,  You'll  Have  to  Remove  Your  Plastic  Shoes” 

Little  Timmy’s  getting  good  at  identifying  security  threats. 
Playmobil  recently  released  its  latest  in  toy  design— the 
airport  security  kiosk. 


KENYA  Desirable  al-Qaida  target  for  terrorism. 
Close  proximity  to  countries  with  little  or  no 
security. 

PAKISTAN  Ample  supply  of  terrorist  recruits. 
Popular  hideout  for  Taliban  and  al-Qaida  fugi¬ 
tives. 

PHILIPPINES  Terrorist  training  camps  recently 
discovered  in  southern  Philippines. 

RUSSIA  Threat  of  terrorist  bombings  to  major 
urban  centers,  especially  Moscow  and  St.  Peters¬ 
burg. 

SAUDI  ARABIA  Islamic  militants— in  plentiful 
supply  among  disgruntled  youth— have  demon¬ 
strated  their  ability  to  stage  large-scale  attacks. 

TURKEY  Domestic  extremist  groups  share 
common  interests  with  al-Qaida. 

YEMEN  Easy  access  to  weapons  and  explosives 
in  the  black  market.  Terrorists  known  to  hide  in 
remote  regions  out  of  government  reach. 


14  www.csoonline.com  June  2004 


PHOTO  BOTTOM  BY  STEPHEN  WEBSTER 


. 


ClearTrust' 


Not  long  ago,  four  of  the  world’s  largest  automakers  did  something  unusual. 
They  worked  together  to  form  a  procurement  and  supply  chain  exchange  that 
would  help  each  of  them  lower  costs,  improve  quality, 
and  speed  time  to  market.  But  how  do  such  fierce 
competitors  collaborate  safely?  With  the  RSA  ClearTrust®  Access  Management 
solution.  Its  secure  single  sign-on  allows  over  100,000  users  to  safely  and  easily 
share  processes,  ideas  and  efficiencies,  without  compromising  confidential  data. 
After  all,  it’s  this  data  that  could  represent  a  car  maker's  most  critical  component: 
Its  next  concept.  To  learn  more,  visit  www.rsasecurity.com/go/iam12. 


SECURITY* 


©2004  RSA  Security  Inc.  All  rights  reserved.  RSA,  the  RSA  Security  logo,  and  ClearTrust  are  registered  trademarks  or  trademarks  of  RSA 
Security  Inc.,  in  the  United  States  and/or  other  countries.  All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


DEPARTMENT  OF  BIG,  SCARY  NUMBERS 


402 


Professional 
Phishing  on 
the  Rise 

E-MAIL  In  the  span  of  just 
five  months,  the  number  of 
discrete  attempted  phishing 
attacks  increased  twentyfold. 
What’s  more,  experts  say,  the 
attacks  are  getting  more  tar¬ 
geted  and  more  sophisticated 
and  there's  not  much  techni¬ 
cally  that  can  be  done.  Unlike 
viruses,  which  manipulate 
code  to  cause  damage, 
phishers  carry  out  their 
attacks  by  conning  users. 

SOURCE:  ANTI-PHISHING  WORKING  GROUP 


SOURCE:  INFOSECURITY  EUR0PE2004  SURVEY  OF  OFFICE  WORKERS  AT  LIVERPOOL 
STREET  STATION  IN  ENGLAND 


Voice  Over  ID 


FRAUD  Credit  card  security  has  progressed  very  little  in  the 
past  few  years.  In  fact,  anyone  who  has  seen  his  own  signature 
reduced  to  chicken  scratch  on  an  electronic  signature  pad  might 
argue  that  it  has  actually  regressed.  But  a 
new  voice-activated  credit  card  from 
Santa  Monica,  Calif. -based  Beepcard 
promises  to  take  our  precious  plastic 
and  make  it  virtually  fraudproof. 

A  voice-recognition  chip,  a  micro¬ 
phone,  a  battery  and  a  loudspeaker  are 
embedded  within  the  card,  called  Corn- 
dot.  Despite  all  that  technology,  the  card 
has  the  same  length  and  width  as  a  regu¬ 
lar  credit  card  and  is  only  three  times 
thicker. 

Here’s  how  it  works:  When  the  card 
owner  wants  to  conduct  a  transaction, 
he  presses  a  button  on  the  card  that 
prompts  him  to  say  his  password.  If  the 
password  is  correct  and  the  voiceprint  matches  that  of  the  card’s 
registered  owner,  the  card  emits  an  audible  signal  called  a 
“squawk,”  which  wirelessly  relays  the  necessary  information  to 
the  merchant’s  server.  The  card  doesn’t  require  a  special  reader 
and  can  transmit  its  signal  via  a  PC,  cell  phone  or  regular  phone, 
so  it  can  be  used  for  remote  transactions  as  well. 

The  security  benefits  are  numerous.  Not  only  would  it  be  very 


difficult  for  a  fraudster  to  match  a  cardholder’s  unique  voice- 
print,  the  audible  signal  emitted  by  the  card  also  changes  with 
each  transaction  to  a  sequence  that  only  the  server  knows.  So,  a 
signal  recorded  from  a  previous  transaction 
won’t  work  again. 

Beepcard  aims  to  have  the  card’s  bat¬ 
tery  capable  of  10  transactions  per  day 
for  two  years  before  it  runs  out.  The 
company  is  currently  working  to  slim 
down  the  card’s  profile  and  increase  its 
physical  durability.  But  the  prospect  of  this 
technology  has  security  experts  excited 
nonetheless.  In  a  recent  essay,  security 
expert  Bruce  Schneier  lauded  the  card  as 
“perhaps  the  coolest  security  idea  I’ve  seen 
in  a  long  time.” 

But  there  are  downsides.  Price  may 
be  a  factor.  And  if  it  is,  customers  won’t 
want  to  pay  more  for  Comdot  than  they  cur¬ 
rently  do  for  a  credit  card.  And  merchants  won’t 
want  to  pay  more  to  support  it  either.  You  only  have  to  look  at 
how  Amex  has  fared  with  its  higher  fees  to  see  where  this  could 
all  end  up. 

We  do  think  it’s  pretty  cool  though  as  long  as  they  don’t  take 
this  talking  credit  card  thing  too  far.  “Put  me  back  in  your  wallet. 
You  know  you  can’t  afford  that!”  -Daintry  Duffy 


16  www.csoonline.com  June  2004 


Microsoft 


Novell 


Computer  Associates™ 


YOUR  VPN  ACCESS. 

YOUR  NETWORK  ACCESS. 

YOUR  WEB  ACCESS. 

YOUR  EMAIL  ACCESS  &  CONFIDENTIALITY. 

YOUR  COMPUTER  BOOT  &  FILES  PROTECTION. 


YOUR  SECURE  KEY  STORAGE. 

YOUR  SECURE  CERTIFICATE  STORAGE. 

YOUR  SECURE  PASSWORD  STORAGE. 

YOUR  SECURE  KEY  GENERATOR. 

YOUR  USERS'  SELF-ENROLLMENT  KEY. 


It's  your  digital  identity  organizer. 

Just  one  secure  device  for  all  your  passwords,  keys,  and  certificates. 


©2004  Ataddio  jGwwtwge  fyste-TViri 
are  registerwJ  wda/narCs.^'d  K 


ami  Aiaddw  KnewWrtge  Systmn.  Ltd. 
sit,  of  Abidin  Knowledge  ltd 


items,  the  CiKo  Systems  logo  are  registered  trademarks  or 
is,  Inc.  and/or  its  affiliates  in  the  US  and  ceitain  other  eoun 


•  r- 


Cisco  Systems 


NEW!  eToken  TMS  Active  Directory®-Based  Management  for  your  authentication  devices 

Aladdin's  eToken  is  strong,  reliable  2-factor  authentication  that  simplifies  your  life  while  securing  your  world.  eToken  is  the 
Smartcard  that  doesn't  need  a  reader  or  a  server.  It  simply  plugs  into  a  USB  port — that  makes  eToken  easy  to  deploy  and 
really  affordable.  Your  users  only  need  to  remember  one  eToken  password  and  have  their  eToken  for  secure  access. 
You  only  need  our  unique  Token  Management  System — Active  Directory®-Based  Management  for  easy  deployment  and 
administration  of  digital  identities  and  authentication  devices.  Call  1-800-562-2543  or  visit  Go-eToken.com  for  white 
papers,  success  stories  and  more  on  how  eToken  can  secure  your  network  and  simplify  your  life. 


token.de@eAladdin.com  |  Benelux:  +: 
i.fr@eAladdin.com  |  Israel:  +972-3- 
teAladdin.com  |  Spain:  +34-91-375-9 


UK:  +44-1753-622-266,  etoken.uk@eAladdin.com 


30,  etoken.nl@eAiaddin.com 
;s@eAladd!n.com 


SECURING  THE  GLOBAL  VILLAGE 


AVVID 

Partner 


Briefing 


security  professionals, 
responsible  for  thousands  of 
lives  each  day,  must  deal  with 
these  situations.  They  are 
forced  to  rely  on  the  hope 
that  police  response  time  will 
be  improved  and  technology 
will  somehow  prevent  a  situ¬ 
ation  from  escalating  to  the 
point  where  a  firearm  is  used 
against  civilians. 

So  are  you  an  advocate  of 
arming  security  personnel? 

I  am  not  a  gun  advocate;  I 
am  a  security  advocate.  I  am 
advocating  the  prudent  use 
of  firearms  by  qualified  pro¬ 
fessionals  (and  not  just  any 
citizen)  in  the  performance 
of  their  lawful  duties  under 
the  auspices  of  their  lawful 
institutions. 

What  can  be  done  to  pre¬ 
vent  terrorists  from  acquir¬ 
ing  weapons? 

The  truth  is,  the  criminal  or 
terrorist  element  will  always 
find  a  way  to  possess  weapons. 
And  regardless  how  proficient 
we  get  at  detection,  there  will 
always  be  those  who  will  slip 
through  the  cracks.  Security 
professionals  have  the  train¬ 
ing  and  experience  to  prevent 
all  stages  of  crime,  provided 
they  are  properly  equipped. 

-Kathleen  S.  Carr 


even  more.  Our  government 
responded  by  enacting 
tighter  legislation  on  hand¬ 
guns,  for  security  personnel 
as  well  as  individuals.  The 
security  personnel  in  these 
establishments  were  the  first  to 
respond  to  these  incidents.  The 
problem  was  that  they  were 
unable  to  deal  with  the  situa¬ 
tions  because  they  were 
unarmed,  and  they  had  to  wait 
until  police  entered  the  prem¬ 
ises  to  intervene.  By  then,  of 
course,  it  was  too  late  to  sal¬ 
vage  the  situation,  and  lives 
were  inevitably  lost. 

How  has  this  legislation 
affected  Canada’s  first 
responders? 

Onsite  security  personnel  are 
the  first  responders  to  crimes 
on  their  property,  with  an 
average  response  time  of 
approximately  15  to  30  sec¬ 
onds.  They  can  usually 
respond  to  gun  calls  long 
before  a  shot  is  fired.  The 
problem  is,  they  can  no 
longer  prevent  that  shot  from 
being  fired.  We  always  ask 
ourselves  what  could  have 
been  done  to  prevent  the 
firearm  from  getting  into  the 
criminal’s  hands,  but  we 
respond  by  removing  access 
to  firearms  by  everyone  but 
the  perpetrator.  Trained 


Q&A  Takis  H.  Sifonas  is  the 
chairman  of  the  Canadian 
Society  for  Industrial  Security. 
He  is  also  the  assistant  direc¬ 
tor  of  security  services  for  one 
of  the  largest  hotels  in  Canada. 
His  hotel— which  has  1,040 
rooms  and  36  convention 
halls— sits  in  a  high-risk  loca¬ 
tion  directly  above  Mon¬ 
treal’s  famous  Underground 
City  and  the  Central  Train 
Station.  We  talked  to  Sifonas 
recently  about  firearms,  first 
responders  and  terrorists. 


CSO:  How  would  you 
describe  the  current  state 
of  physical  security? 
Takis  H.  Sifonas:  I  think 

that  technology  is  slowly 


being  used  in  place  of  man¬ 
power,  and  physical  security  is 
rapidly  becoming  overlooked. 

What  has  been  the  impact 
of  recent  firearms  legisla¬ 
tion  in  Canada? 

No  corporate  security  spe¬ 
cialist,  regardless  of  their 
background  or  training,  may 
possess  a  license  to  carry  a 
firearm  in  Canada. 

In  December  of  1989, 14 
women  were  massacred  at 
the  Universite  de  Montreal 
by  a  maniacal  gunman  who 
entered  a  building.  Then  in 
August  of  1992,  a  disgruntled 
professor  at  Concordia  Uni¬ 
versity  used  a  pistol  to  mur¬ 
der  four  people  and  wound 


‘Venture 
they  wo 

that  m 

make  vaccines. 


italists  h; 

nil 


us  that 
companies 
at 


-MARY  ANN  DAVIDSON,  ORACLE  CSO,  ON  THE  LACK  OF  PRIVATE-SECTOR 
INVESTMENT  IN  VULNERABILITY  REDUCTION 


18  www.csoonline.com  June  2004 


PHOTO  BY  JULIE  DUROCHER 


2004  ADT  Security  Services,  Inc.  ADT,  the  ADT  logo  and  ADT  AlwaysThere  are  registered  trademarks  of  ADT  Services,  AG,  and  are  used  under  license. 


We  help  keep  businesses  running  smoothly. 

Even  one  that  serves  3.4  million  customers  a  day. 


The  Washington,  D.C.  Metrorail  can't  afford  interruptions.  So  when  it  came  time  for  necessary 
security  upgrades,  the  Washington  Metropolitan  Area  Transit  Authority  turned  to  ADT.  Drawing  on 
our  unique  resources  and  proven  experience,  we  were  able  to  create  a  system  that  integrates  intrusion 
detection,  access  control  and  fire  alarm  into  a  single,  cost-effective  interface.  And  by  helping 
streamline  the  Metrorail's  security  system,  we  did  the  same  for  their  entire  operation.  To  see  how 
we've  helped  other  large  clients,  visit  us  at  www.ADT.com/homelandsecurity.  Because  when  handling 
complex  projects  in  today's  environment,  there's  really  no  substitute  for  experience.  ADT  Always  There® 


tliCO  /  Fire  & 

/  Security 


Monitoring  |  Access  Control  |  Video  Surveillance  |  RFID  |  Intrusion  Detection  |  EAS  |  Fire  &  Life  Safety  |  Homeland  Security  Solutions 


The  Who,  What  and  Why  of  Washington 

Top  Billing 


NEWS  FROM  INSIDE  THE  BELTWAY 


In  the  Clear 

Companies  that  want  to  work  with  the  government  will  need  security 
clearance  to  do  it.  Easier  said  than  done.  By  Julie  Hanson 


HERE  ARE  LOTS  of  opportunities  for 
private-sector  security  vendors  to  work  for 
the  federal  government.  Agencies  such  as  the 
Department  of  Homeland  Security  and  the 
Transportation  Security  Administration,  are 
always  looking  for  cutting-edge  security  tech¬ 
nology.  However,  in  order  to  work  for  the 
federal  government,  you  need  to  first  secure  a 
contract  and  then  obtain  security  clearance 
for  all  employees  who  will 
work  on  the  project— not  an 
easy  task.  This  clearance 
involves  a  waiting  period  of 
nearly  a  year,  which  adds  a 
layer  of  bureaucratic  red  tape 
for  companies  that  want  to 
work  with  the  feds. 

“It  takes  350  days  for  a 
clearance  to  get  finalized.  We 
want  to  find  out  why  it  takes 
so  long,”  says  Robert  White,  a 
spokesman  for  Rep.  Tom 
Davis  (R-Va.),  chairman  of 
the  House  Government 
Reform  Committee.  White  says  the  commit¬ 
tee  plans  to  meet  with  industry  and  govern¬ 
ment  officials  to  determine  if  there  is  anything 
they  can  do  to  help,  legislative  or  not.  The 
majority  of  clearances  are  processed  by  the 
Office  of  Personnel  Management  (OPM), 
which  conducts  more  than  2  million  security 
clearance  investigations  every  year.  CSO 
spoke  with  the  OPM  about  a  year  ago,  and 
even  then,  this  organization  was  struggling 
with  the  slow  process  of  clearances.  The  OPM 
declined  to  comment  for  this  story  because  it 
is  currently  partaking  in  congressional  testi¬ 
mony  on  this  topic. 

A  big  part  of  the  problem  exists  in  the 
chicken-and-egg  nature  of  clearances.  A  com¬ 
pany  must  first  obtain  a  contract  to  work  on  a 
specific  job  in  order  to  request  a  clearance. 


This  leaves  a  substantial  gap  between  when  a 
company  successfully  lands  a  contract  and 
when  it  can  actually  put  some  of  its  own 
cleared  employees  to  work  on  that  problem, 
says  Jim  Regan,  director  of  the  George 
Mason  University  Procurement  Technical 
Assistance  Program,  a  nonprofit  organization 
funded  by  the  Defense  Logistics  Agency  and 
George  Mason  University.  The  program 

increases  contracting  activity 
between  small  businesses, 
prime  government  contrac¬ 
tors  and  the  government. 

Regan  agrees  that  this 
backlog  is  a  problem.  “Best 
thing  I  can  recommend:  try  to 
hire  someone  who  already  has 
clearances.  That  said,  in  the 
Washington  area,  folks  with 
clearances  in  the  software  area 
are  in  short  supply,”  says  Regan. 

A  coalition  of  industry 
groups  has  formed  to  suggest 
reforms  to  the  security  clear¬ 
ance  process.  This  group  includes  the  Infor¬ 
mation  Technology  Association  of  America, 
the  Armed  Forces  Communications  and  Elec¬ 
tronics  Association,  and  the  Professional  Ser¬ 
vices  Council.  The  coalition’s  suggestions 
include  using  private-sector  adjudicators  to 
decrease  backlog,  and  standardizing  data  and 
processes  for  clearances. 

It  could  be  months  before  there  are  any 
solid  resolutions.  In  the  meantime,  it  might 
be  a  good  idea  to  take  stock  of  who  in  your 
company  has  clearances  before  applying  for 
that  government  contract  job.  ■ 

News  from  Washington 

To  read  more  about  what’s  happening  in  Washington,  D.C., 
visit  our  website  at  www.csoonline.com/wonk. 


The  Department  of  Homeland  Security 
has  established  the  Anser  (Advanc¬ 
ing  National  Strategies  and 
Enabling  Results)  Institute  for 
Homeland  Security,  the  depart¬ 
ment's  first  government  think  tank.  The 
institute  will  be  managed  by  Arlington, 
Va. -based  Analytic  Services,  a  nonprofit 
research  institute  that  provides  analysis 
and  technical  support  to  federal  agen¬ 
cies.  This  think  tank  focuses  on  matters 
involving  policy  and  security  where  sci¬ 
entific,  technical  and  analytical  expert¬ 
ise  is  required,  such  as  complex  threat 
and  vulnerability  assessment  areas. 

Rep.  Jim  Turner  (D-Texas)  ranking 
member  of  the  House  Select  Committee 
on  Homeland  Security,  released  a  90- 
page  document  with  more  than  100  spe¬ 
cific  recommendations  for  victory  in  the 
war  against  terrorism. 

In  March  2003,  Computer  Sciences 
Corp.  delivered  to  the  FBI  the  first 
phase  of  the  Trilogy  Program,  a  plan 
designed  to  overhaul  the  bureau’s  IT 
systems  and  move  them  away  from  a 
paper-driven  organization.  This  phase 
allows  agents  to  share  information 
across  the  bureau  and  with  other  agen¬ 
cies,  as  well  as  strengthen  infrastruc¬ 
ture  security  weaknesses.  Prior  to 
Trilogy  many  FBI  employees  were  work¬ 
ing  on  8-year-old  computers,  unable  to 
run  basic  software  taken  for  granted  in 
most  offices  around  the  globe. 

McAfee  Research,  the  technology 
research  division  of  Network  Associ¬ 
ates,  was  awarded  a  sub-contract  with 
the  University  of  California,  Berkeley 
and  Pennsylvania  State  University  to 
help  build  a  large-scale  cybersecurity 
test  bed  for  the  development  of  new 
defenses  against  computer  worms, 
viruses  and  other  attacks.  The  project  is 
being  partially  funded  by  $10.8  million 
in  grants  from  the  National  Science 
Foundation  and  DHS. 


20  www.csoonline.com  June  2004 


PHOTO  LEFT  BY  AP/WIDE  WORLD  PHOTOS;  TOP  BY  GETTYONE 


The  conference  will  focus  on  the  key  elements  and 
foundations  that  comprise  effective  information 
security  management  practices.  Included  will  be 
sessions  that  cover: 


INFORMATION 

SECURITY 

MANAGEMENT 

CONFERENCE 


>  Information  security  governance 

>  Risk  management 

>  Information  security  program  management 

>  Information  security  management 

>  Response  management 


Information  Security  Management  Conference 
13-15  September  2004 
Caesars  Palace 
Las  Vegas,  Nevada,  USA 
www.isaca.org/infosecurity2004 


Information  Systems 
Audit  and  Control 
Association ® 


*  t 


On  the  Road  to  CSO 

Joyce  Brocaglia,  a  founder  and  CEO  of  Alta  Associates,  an 
executive  recruiting  company  specializing  in  information 
security,  answers  readers’  questions  about  CSO  careers 


Q:  What  is  more  important  to  CSO  employers,  years  of  experience  or  skill 
in  strategic  and  tactical  security  management? 

A:  When  employers  are  searching  for  a  CSO,  they  consider  both  years  of  experi 
ence  as  well  as  strategic  and  tactical  security  management  skills.  The  differen¬ 
tiator  in  determining  who  is  a  stronger  candidate  for  the  position  ultimately 
depends  upon  the  strength  of  the  candidates’  strategic  and  tactical  security 
management  experience.  Employers  searching  for  an  officer-level  executive 
want  to  hire  someone  with  a  proven  track 
record  of  establishing,  implementing  and 
managing  an  enterprisewide  program.  The 
years  of  experience  are  not  as  relevant  as  the 
accomplishments  achieved  during  his  tenure. 

Q:  How  do  I  jump  from  a  security  manager 
position  to  a  CSO  or  CISO  role? 

A:  There  are  many  ways  to  accomplish  this 
task.  However,  the  most  fundamental  lesson 
is  that  you  must  be  perceived  as  part  of  the 
solution,  not  part  of  the  problem.  If  you  are 
interested  in  this  career  progression  in  your 
current  company,  your  success  will  be  directly 
related  to  the  credibility  you  have  established. 

If  you  are  looking  outside  of  your  organiza¬ 
tion,  you  will  need  to  represent  how  you  were 
able  to  establish  credibility  in  your  current 
company  and  how  you  would  transfer  that  experience  to  the  new  organization. 

Three  essential  ingredients  to  build  credibility  are  establishing  strong  rela¬ 
tionships,  possessing  a  true  understanding  of  your  business  and  displaying 
effective  communication  skills. 

Building  relationships  with  key  stakeholders  can  be  as  simple  as  identifying 
areas  where  you  can  help  senior  managers  achieve  their  goals.  By  working 
together  with  them,  you  will  win  allies.  Word  will  spread  fast,  and  you  will 
quickly  establish  a  reputation  as  someone  who  gets  it. 

Understanding  your  business  requires  due  diligence  on  your  part.  You  need 
to  be  genuinely  curious  about  the  workings  of  your  organization.  Have  indus¬ 
try-related  discussions  with  people  you  respect  and  consider  subject-matter 
experts  in  areas  other  than  technology.  You  must  gain  an  understanding  of  how 
your  role  and  responsibilities  fit  into  the  bigger  picture  of  what  your  organiza¬ 
tion  is  trying  to  accomplish  and  determine  how  you  can  be  a  positive  influence. 

Effective  communication  skills  are  absolute  requirements  for  an  executive- 


level  position.  Evaluate  your  verbal  and  written  skills 
and  be  willing  to  go  to  charm  school  if  necessary  to 
strengthen  them.  It  is  very  important  to  recognize  that 
transitioning  from  an  information  security  manager  to 
a  CISO  or  CSO  is  not  just  a  change  in  jobs— it’s  a 
change  in  careers.  You  must  step  out  of  your  technical 
comfort  zone  and  refine  your  management  and  com¬ 
munication  skills  to  become  a  part  of  the  executive 
team. 

Q:  To  what  extent  can  I  expect  to  be  able  to  change 
the  culture  of  an  organization?  If  my  company 
seems  security  unconscious,  can  I  expect  to  be  able 
to  make  fundamental  changes? 

A:  Changing  corporate  culture  is  a  difficult  and  some¬ 
times  impossible  task.  My  suggestion  is  to  begin  with 
low-hanging  fruit  and  accomplish  small  wins.  Pick  one 
person  within  this  new  organization  who  seems  recep¬ 
tive  or  has  a  problem  that  you  feel  you  can  help  solve  in 
a  short  period  of  time.  If  you  are  successful  in  assisting 

him  in  achieving  his  goals, 
he  will  become  your  advo¬ 
cate  and  spread  the  word  to 
others  about  the  rewarding 
experience.  Have  enough  of 
these  small  wins  and  a  con¬ 
sistent  and  positive  message 
will  spread  about  your 
capabilities.  Establishing  a 
security  awareness  program 
is  also  a  good  way  to  begin  to 
change  culture.  Some  of  the 
most  successful  programs 
don’t  take  themselves  too 
seriously;  they  utilize  cre¬ 
ativity,  cartoons,  rewards 
programs  and  other  fun 
ideas  to  get  a  very  serious 
point  across.  The  bottom  line  is,  it  takes  a  lot  of  dili¬ 
gence  to  change  corporate  culture,  and  ultimately  it 
may  be  an  impossible  task  if  you  don’t  have  the  support 
of  senior-level  management.  If  you  can  get  executive 
management  to  set  the  tone  from  the  top,  your  goal  is 
an  achievable  one.  If  the  executive  management  is 
security  unconscious  and  unwilling  to  support  your 
efforts,  the  best  thing  for  you  to  change  may  be  the 
company  you  work  for.  ■ 


Ask  Your  Peers 


Have  a  security  topic  to  suggest  or  an  expert  you’d  like  to  hear  from?  Send 
your  thoughts  to  Assistant  Managing  Editor  Kathleen  Carr  at  kcarr@cxo.com. 
See  what  your  peers  are  discussing  at  www.csoonline.com/counsel. 


22  www.csoonline.com  June  2004 


PHOTO  BY  PETER  VIDOR 


Ru+henex 


Affordable  Strong  e-Security 


Strong  Authentication 


e-Security 
for  Less  Money 


Authenex  ASAS  and  other  Authenex  Enter¬ 
prise  products  are  now  available  as  stand¬ 
alone  appliances. 


Strong  Authentication 
Hard  Disk  /  File  Encryption 
Secure  File  Exchange 


The  Authenex  A-Key  used  to  tip  the  scale;  Now, 
we  practically  break  it. 

Strong  authentication  at  its  most  versatile,  the  Authenex 
A-Key  USB  token  offers  USB-based  and  one-time- 
password  functionality.  Furthermore,  two-factor  authentica¬ 
tion  for  remote  VPN,  LAN,  and  web  can  be  achieved  with  or 
without  PKI,  and  you  can  use  the  same  token  for  128-bit 
AES  encryption  and  secure  file  exchange,  as  well  as  CCID 
standard  smart  card  compatibility  for  total  mobility. 


r  K 

Full  PKI  Support 


Get  your  free  evaluation  A-Key  now* 


Driverless  Mobility 
One-Time  Password 


on  the  web  at  www.authenex.com/cso 
or  call  us  at  +1  877.AUTHENEX 


' — — I 


fcriSign’ 


metdnfo 


Microsoft 

CERTIFIED 

Ptutner 


•  Certain  terms  and  conditions  may  apply. 


©  2004.  Authenex.  Inc  All  Rights  Reserved  Authenex,  A-Key  and  associated  logos  are  trademarks  or 
registered  trademarks  of  Authenex,  Inc.  All  other  registered  or  unregistered  trademarks  in  this  document  are 
the  sole  property  of  their  respective  owners. 


Open  Secrets 

Can  you  still  claim  your  trade  secrets  were  stolen  it  your 
security  was  sloppy?  By  William  Cook 


IME  WAS,  A  COMPANY  could  feel  that  their  trade  secrets  were  reasonably 
safe  if  they  were  stored  in  a  password-protected  computer  system.  Most  courts 
agreed.  However,  a  court  opinion  rendered  in  2002  in  Arkansas  found  that  one 
company’s  sloppy  password  controls  left  its  most-prized  information  vulnerable. 

The  case  of  Weigh  Systems  South  v.  Mark’s  Scales  &  Equipment  involved  two 
former  Weigh  employees— a  manager  who  started  a  competing  firm,  Mark’s 
Scales  &  Equipment,  and  a  service  technician  who  joined  him  at  the  new  company. 
Weigh  alleged  that  its  former  employees  stole  proprietary  information  on  their  way 
out  the  door. 

Weigh  filed  a  complaint  seeking  damages  and  injunctive  relief,  alleging  that  the 
former  employees  and  Mark’s  Scales  violated  the  Arkansas  Trade  Secrets  Act. 
Weigh  asserted  that  its  former  employees 
had  misappropriated  its  customer  and 
vendor  lists,  pricing  information,  software, 
service  agreement  inventory  checklist  and 
marketing  plans— all  of  which  constituted 
trade  secrets.  Looks  pretty  good  for  Weigh 
so  far... right? 

The  key  question  was,  Is  such  informa¬ 
tion  protectable  as  trade  secrets?  The  court 
identified  several  factors  material  to  its 
determination  of  whether  information  is 
a  trade  secret.  These  factors  include: 

1.  the  extent  to  which  the  information  is 
known  outside  the  business;  2.  the  extent 
to  which  the  information  is  known  by 
employees  and  others  involved  in  the  busi¬ 
ness;  3.  what  measures  were  taken  by  the 
company  to  guard  the  secrecy  of  the  infor¬ 
mation;  4.  the  value  of  the  information  to 
the  company  and  to  its  competitors;  5.  how 
much  effort  or  money  the  company  ex¬ 
pended  in  developing  the  information;  and  6.  the  ease  or  difficulty  with  which  the 
information  could  be  acquired  or  duplicated  by  others.  The  evidence  presented  in 
court  was  not  favorable  to  Weigh ’s  case. 

■  Weigh  conceded  that  some  or  all  of  its  customer  lists  and  vendors  appear  in 
public  directories  or  are  available  on  the  Internet.  The  testimony  at  trial  established 
that  Weigh’s  marketing  plan  was  established  by  visiting  trade  shows  and  talking 
with  customers  about  upcoming  projects. 

■  The  court  also  found  fault  with  Weigh’s  security  practices.  The  court  observed 
that  when  Weigh  technicians  installed  Weigh  software,  they  were  supposed  to 


change  the  default  password  to  one  that  only  Weigh 
employees  knew,  but  they  did  not  always  follow  this  pro¬ 
cedure.  The  testimony  further  established  that  it  was  not 
uncommon  for  employees  of  Weigh  to  provide  customers 
with  the  Weigh  password.  There  was  also  testimony  that 
a  computer  bug  existed  in  Weigh’s  software  that  allowed 
customers  to  gain  access  to  the  program  without  using 
any  password,  and  that  Weigh  did  not  swiftly  act  to  cor¬ 
rect  the  bug. 

■  The  value  of  the  information,  to  both  competitors 
and  to  the  company,  was  also  difficult  to  determine. 
Weigh  did  not  provide  evidence  as  to  the  value  of  its  ven¬ 
dor  list,  pricing  information  and  so  on.  Instead  Weigh 
contended  that  this  information  had  been  developed  over 
time  and  was  essential  to  making  quotes  on  jobs  and 
installing  equipment. 

After  reviewing  the  facts,  the  court  concluded  that  the 
information  Weigh  sought  to  protect  was  not  a  trade 
secret.  It  specifically  concluded  that  the  information  con¬ 
tained  in  Weigh’s  so-called  trade  secrets  was  informa¬ 
tion  that  was  generally  known  or  readily  ascertainable.  It 
further  held  that  Weigh  did  not  take  adequate  steps  to 
protect  certain  information  from  being  acquired  or  dupli¬ 
cated  by  others.  Because  the 
information  was  not  a  trade 
secret,  the  court  concluded  that 
the  former  Weigh  employees 
and  Mark’s  Scales  did  not  mis¬ 
appropriate  the  information 
from  Weigh. 

What  do  we  draw  from  this 
case?  First  and  foremost,  your 
“adequate”  security  require¬ 
ments  change  with  time.  You 
need  to  keep  current  on  the 
technology,  the  case  law  and  the 
regulations  that  apply  to  your 
business  community.  The  ade¬ 
quacy  standards  that  apply  will 
vary  between  industries.  Second, 
if  your  company  brings  a  trade 
secret  action  against  anyone, 
you,  as  the  corporate  security 
officer,  will  be  a  prime  witness 
for  the  other  side.  You  will  be  questioned  at  length  in 
depositions  and  at  trial  about  security  practices  you  used 
and  didn’t  use  with  respect  to  your  company’s  trade 
secrets.  Be  prepared.  ■ 

William  Cook,  a  partner  with  Wildman  Harrold  Allen  &  Dixon  based  in 
Chicago,  specializes  in  intellectual  property  litigation,  business  continuity 
and  security.  Cook  is  also  president  of  InfraGard-Chicago  and  a  founding 
member  of  the  U.S.  Secret  Service  Chicago  Electronic  Crimes  Task  Force. 


24  www.csoonline.com  June  2004 


ILLUSTRATION  BY  COLIN  JOHNSON 


WINNER 


Best  Security  Service 


Two  More 
Reasons  to 
Try  Qualys 


Editor’s  Choice  Award 


QualysGuard  —  The  Award  Winning  Solution 

More  than  1,500  customers,  including  BASF,  Hewlett-Packard, 
Standard  Charted  Bank,  and  Sony  use  QualysGuard  to  minimize  risk, 
avoid  worms,  and  promote  trustworthy  online  business. 


See  What  Customers, 
Journalists  and  Analysts  Have 
To  Say  About  QualysGuard 


“QualysGuard  Enterprise  gained  Analyst’s  Choice  recognition  for 
its  ability  to  regularly  identify  the  most  important  vulnerabilities  across 
the  widest  range  of  operating  systems,  applications  and  infrastructure 


devices  of  any  of  the  products  we  tested.” 

eWEEK 


“The  level  of  scanning  accuracy  and  elimination  of  false  positives  provides 
us  with  the  confidence  that  we  are  constantly  guarded  against  new  threats.” 

New  York  Board  of  Trade 

“In  evaluating  various  solutions,  the  decision  to  select  Qualys  was 
based  on  five  clear  criteria:  scanning  accuracy,  deployability,  scalability, 
ease-of-use  and  overall  cost  effectiveness.  Qualys  has  met  our  demands 
without  compromise  and  given  us  a  reliable,  centralized  solution 
for  protecting  our  critical  assets  worldwide.” 

Standard  Chartered  Bank 

“Techworld  grants  QualysGuard  a  Techworld  Recommended  Award 
for  deep  scanning  capabilities,  ease  of  use,  and  excellent  reporting.” 

Techworld 

“As  a  web-based  solution,  QualysGuard  enables  us  to  perform  security 
audits  as  often  as  necessary,  see  vulnerabilities  immediately  as  they  are 
added  to  the  QualysGuard  database,  and  work  proactively  to  remediate 
them.  This  helps  us  secure  all  of  our  network  entry  points,  enforce  ICI 
security  policies  and  assists  us  in  meeting  federal  requirements.” 


Imperial  Chemical  Industries 


“Identifying  security  risks  and  eliminating  threats  is  an  ongoing  effort 
for  all  organizations  -  large  and  small.  Qualys’  solution  enables 
companies  to  effectively  audit  their  networks  and  proactively  reduce 
risks  without  installing  or  deploying  complex  software.” 


IDC 


0 


©  QualysGuard  is  a  registered  trademark  of  Qualys,  Inc.  Qualys  and  the  Qualys  logo  are  trademarks  of  Qualys,  Inc.  All  other  trademarks  are  the  property  of  their  respective  owners. 


■ 


v.'/i’-Vr-  ■  ,5  •■'••, 


—“T  \ .  •.  •  SvW’ <rlW .vjiojj  VAy*'>i 

4  —  -^  - -- 

• :  r.  - >$>.#& 


JV\ 


r\  V-  .X  W  BIBB  -  |v;4'  a  ;  V  • 

i  •  •  : 

i  -  >  -  ^1*4.  *F&  V-S/-*  '  V» ';*Wf£. *$  *"N»1  ''•'■&X.  -i  0 


m  xmmm 

;  ■;•  o  ^.v  ’  f-A  • 

'  v-  ■<■  ••  jPirz. 

• ■ 

-  SSejpra&i® ®Bi8KlSWSBB 


i.  .  0  r  •  ■ 

■  v:,  .  . 


You’ve  Picked 
a  Winner 

[But  you  already  knew  that,  didn’t  you?] 


CSO  is  again  the  proud  recipient  of  honors  at  the 
prestigious  2004  Jesse  H.  Neal  Awards.  CSO  was 
honored  with  four  awards  including  Best  Single  Article 
and  Best  Single  Issue.  CSO  was  also  honored  as  second 
runner-up  to  sister  publication  CIO  magazine  for  the 
Grand  Neal  Award— the  top  editorial  honor  granted  to 
one  publication  from  almost  1,300  entries  across  all 
categories  and  circulation  sizes. 


Often  hailed  for  its  preeminence  as  the 
"Pulitzer  Prize  of  the  business  press.”  the 
Neal  Award  is  the  business  publishing  indus¬ 
try’s  annual  salute  to  individual  editors  for 
outstanding  editorial  excellence. 

■Jf  SOURCE:  CSO  READER  PROFILE  STUDY.  RESEARCH  RESULTS. 
OCTOBER  2003. 


The  Neal  Award  judges  aren’t  the  only  ones  who  value 
CSO  magazine.  CSOs  choose  CSO  magazine  as  the 
publication  most  relied  on  for  security-related  strategies 
and  best  practices* 


The  Resource  for 
Security  Executives 


is  the 


The  CSO  is  a  player  at  the  boardroom  table, 

present  in  the  early  stages  of  acquisition  talks  and  a 
signee  on  regulatory  compliance  documents.  He’s 
got  a  staff.  He’s  got  an  MBA  with  a  concentration 
in  risk  mitigation.  The  CEO  doesn’t  view  security  as 
an  unfortunate  expense;  instead,  he  embraces  it  as 
an  investment  in  corporate  governance  and  value 
creation.  Security  is  part  of  the  brand,  the  customer 
contract,  the  stakeholder  seal  of  trust. 


The  CSO  is  a  figurehead.  He’s  trotted  out  for  reg¬ 
ulatory  compliance,  because  if  there’s  a  breach  or  a 
lawsuit,  he’s  going  to  be  the  one  out  of  work.  Then 
he’s  sent  back  to  the  wiring  closet  or  the  basement 
monitoring  station.  Security  staff  actually  report  to 
the  CIO  (for  infosec)  and  to  the  head  of  facilities  (for 
corporate).  The  CSO  finds  out  about  his  company’s 
acquisitions  the  same  way  you  do.. .by  reading  The 
Wall  Street  Journal. 


WHICH  OF  THESE  SCENARIOS  WILL  PROVE  TRUE? 

The  easy  way  out  is  to  say  that  the  truth  will  lie  between  these  two 
extremes.  But  it  might  not.  This  might  be  an  either-or  issue.  If  secu¬ 
rity  leadership  can’t  get  over  certain  humps  and  establish  credibility 
in  the  inner  circle  of  the  corporation,  the  worst-case  scenario— Ver¬ 
sion  Two— might,  in  fact,  come  to  pass.  On  the  other  hand,  we’ve 
spoken  to  a  growing  number  of  CSOs  who  can  clearly  articulate 
the  challenges  and  offer  concrete  solutions  for  getting  past  them. 

I  hose  leading  lights  show  that  the  first  version  is  entirely  possible. 
Where  are  we  today?  Several  numbers  jump  out  from  our  second 


annual  exclusive  CSO  survey,  (see  “Miles  to  Go,”  Page  30).  Collec¬ 
tively,  you’ve  made  significant  inroads  convincing  your  companies 
of  the  value  of  security.  The  percentage  of  respondents  indicating 
that  managers  understand  their  roles  and  responsibilities  pertain¬ 
ing  to  security  more  than  doubled  compared  with  last  year’s  results. 
Yet  managers  are  still  apparently  less  than  convinced  of  the  value  of 
the  CSO.  Only  17  percent  said  that  senior  management  regards  the 
security  leader’s  role  as  strategic  and  permanent. 

Where  those  numbers  go  next  year  and  beyond  is  up  to  you. 

This  year’s  special  career  issue  aims  to  equip  you  to  make  further 


26  www.csoonline.com  June  2004 


ILLUSTRATION  BY  HARRY  CAMPBELL 


of  the 


progress,  offering  best  practices  gleaned  from  experts  both  within  and  outside 
the  security  world.  We  focus  on  several  key  strategies  for  building  the  CSO  of 
the  future— whether  that  person  is  you  or  someone  else.  One  best  practice  is 
succession  planning  (see  “Natural  Selection,”  Page  34).  Today,  particularly 
fortunate  (or  particularly  smart)  companies  may  have  one  experienced  leader 
at  the  top  of  the  security  function  who  understands  budgeting,  ROI,  corporate 
politics  and  the  finer  nuances  of  persuasion.  That’s  a  start.  But  what  happens 
tomorrow?  The  best  CSOs  are  already  planning  to  replace  themselves  by 
grooming  successors  equally  versed  in  the  art  of  leadership. 

Another  key  strategy  is  higher  education  (see  “Feather  Your  Nest,”  Page  40). 
Certifications  offer  great  benefits  but  not  the  level  of  boardroom  credibility  that 
CSOs  need  in  order  get  top-to-bottom  buy-in  for  security  policies  and  processes. 
Unfortunately,  academic  offerings  lag  far  behind  the  multifaceted  demands  of 
even  today’s  CSO  job. 

But  CSOs  are  working  hand  in  hand  with  the  academic  community  to  change 
all  that.  And  this  labor  is  indicative  of  what  lies  in  wait  for  CSOs  today,  as  they 
look  toward  the  future.  The  CSO  of  the  future  won’t  just  happen.  He  or  she  must 
be  built.  If  ever  there  were  a  place  for  proactive  security  leadership— both  for 
your  own  career  and  for  those  around  you— this  is  it.  The  chance  to  become  the 
CSO  in  Version  One  awaits  those  who  have  both  the  foresight  and  the  diligence 
to  take  hold  of  it. 

For  the  rest,  Version  Two  beckons.  -Derek  Slater 


Building  the 

future  CSO 


30  CSO  Survey:  Miles  to  Go 

CSO’s  exclusive  research  on  titles, 
salary  duties  and  more 

34  Natural  Selection 

How  to  strengthen  your  team  through 
succession  planning 

40  Feather  Your  Nest 

Higher  education  can  enhance  your 
credibility,  but  the  programs  are  still 
under  construction 

44  HowTo... 

Tips  for  building  a  business  case, 
changing  people's  minds  and  other 
crucial  skills 


yy 


Middleware  is  Everywhere 


MIDDLEWARE  IS  IBM  SOFTWARE.  Powerful  software 
like  Tivoli®  and  WebSphere®  And  it’s  at  the  heart  of  solving 
what  analysts  call  the  key  issue  of  2004:  automation. 
IBM  middleware  is  open  and  can  deliver  it  all  at  a  pace 
to  match  your  needs.  It  anticipates  problems,  responds 
to  change  and  optimizes  resources.  And  it  all  leads  to 
meeting  business  goals.That’s  ON  DEMAND  BUSINESS. 


1.  Increased  ATM  activity  detected  instantly. 

2.  Identities  confirmed  securely. 

3.  Online  banking  increases  dramatically. 

4.  IT  resources  optimized  dynamically. 

5.  Bank  serves  customers  easily. 


Learn  more  about  middleware  and  IBM’s  leadership  role  in  automation  at  ibm.com/middleware/automate 


y®!  AAKS 


s  ^  &  ? 


Building  the  fatiire  CSO  ,oG 


An  emerging 
profession 
takes  two  steps 
forward,  one 
step  back 

By  Sarah  D.  Scalet 


E  NEVER  S  A I D ,  dear  reader,  that  your  numbers 
were  legion  or  your  permanence  guaranteed.  Chief  security  officer 
is  still  as  much  a  goal  as  a  profession.  It’s  the  notion  that 
if  only  organizations  would  entrust  all  manner  of  security  to  some¬ 
one  with  enough  brains  and  influence,  this  CSO  would  be  able  to 
protect  against  everything  from  snoops  to  snipers  and  add  to  the 
bottom  line  to  boot. 

Optimistic?  Sure.  So  it’s  no  wonder  that  for  the  past  three  years, 
the  evolution  of  the  CSO  has  at  times  seemed  to  move  about  as  fast 
as  a  two-legged  dog.  There  have  been  murmurs 
about  restructurings  and  firings  and  turf  wars, 
about  the  small  number  of  CSO  job  openings  and 
even  smaller  number  of  listings  that  are  neither 
overly  technical  nor  unrealistically  broad.  CSO 
hasn’t  exactly  become  the  kind  of  acronym  that 
you  can  drop  at  a  cocktail  party. 

But  there  is  proof  at  last  that  you  are  making 
progress.  Proof  is  in  a  thorough  new  set  of  guide¬ 
lines,  developed  by  ASIS  International,  that  define 
the  role  of  the  CSO.  Proof  is  in  a  CISO  Executive 
Membership  program,  developed  by  the  Informa¬ 
tion  Systems  Security  Association  (ISSA),  that  aims  to  help  first¬ 
time  chief  information  security  officers  grow  into  their  roles.  Proof 
is  in  a  high-powered  brain  trust,  the  Global  Council  of  CSOs,  led 
by  one-time  White  House  adviser  Howard  Schmidt.  And  proof  is 
in  our  second  annual  “State  of  the  CSO”  survey,  in  which  we  quizzed 
311  readers  about  their  roles,  responsibilities,  budgets  and  more. 

The  biggest  reason  for  your  growing  influence?  Simply  put, 


more  of  you  are  making  inroads  into  senior  management.  Last 
year,  only  19  percent  of  respondents  were  CSOs,  CISOs,  chief  risk 
officers  or  vice  presidents  focused  on  security.  This  year,  26  percent 
claimed  such  a  title.  That  may  not  sound  like  a  huge  increase.  But 
if  you  think  about  what  happened  to  your  40l(k)  portfolio  during 
the  same  months,  that  kind  of  growth  might  not  seem  so  shabby. 

“I’m  surprised  it  went  so  fast,”  says  Dave  Cullinane,  who  is 
involved  with  the  ISSA  executive  group  and  the  Global  Council  of 
CSOs.  “There  are  cost  constraints.  If  you  take  someone  who’s  the 
manager  of  IT  security  and  give  him  a  promotion, 
you  need  more  money.” 

No  fooling— last  year,  only  21  percent  of  C-level 
respondents  earned  more  than  $150,000  a  year. 
This  year,  30  percent  of  those  with  C-level  titles 
reported  being  in  that  tax  bracket.  (Part  of  that 
might  be  due  to  the  audience  that  CSO  is  reaching, 
but  we  hope  at  least  a  few  respondents  from  last 
year  were  able  to  trade  in  their  Honda  for  a  BMW.) 

Paradoxically,  though,  the  growth  of  the  role 
may  be  spurred  by  money  saved  rather  than  money 
spent.  Companies  can  often  reduce  costs  by  bring¬ 
ing  information  security  and  traditional  or  corporate  security 
together  under  a  true  CSO.  Maybe  such  cost  savings  are  why,  this 
year,  a  surprising  17  percent  of  respondents  said  they  were  in 
charge  of  all  corporate  and  information  security,  and  a  total  of  21 
percent  said  their  organization  combined  the  two  functions.  (This 
despite  the— how  shall  we  put  it— energetic  debate  between  the 
alleged  geeks  and  knuckle-draggers  in  these  pages.)  This  year, 


Percentage  of 
respondents  with 
C-level  titles 

26% 


RESEARCH 


m 


30  www.csoonline.com  June  2004 


,O0 

Survey  V-/ 
Methodology 

CSO  magazine's  second  annual  "State  of 
the  CSO”  survey  was  conducted  online 
from  Feb.  9  through  Feb.  28,  2004.  Sub¬ 
scribers  of  CSO  were  invited  to  take  the 
survey.  Results  shown  here  are  based  on 
the  responses  of  311  security  professionals. 
(Not  all  respondents  answered  all  ques¬ 
tions.) 

Survey  respondents  represented  a 
range  of  industries  including  healthcare/ 
pharmaceuticals/medical  services  (16%), 
finance/banking/accounting  (13%), 
manufacturing  (7%),  government  (14%) 
and  computer-related  industries  (5%). 

In  terms  of  title,  26%  of  survey  respon¬ 
dents  held  senior-level  security  titles 
including  CSO,  CISO,  chief  risk  officer 
(CRO)  or  VP  of  security,  while  30%  were 
directors  or  managers  of  security.  Six 
percent  of  the  respondents  were  CIOs. 

Thirteen  percent  of  the  survey  base 
worked  at  companies  with  fewer  than  500 
employees.  Thirty-six  percent  were  from 
companies  with  500  to  5,000  employees; 
50%  worked  in  companies  with  more  than 
5,000  employees. 

When  asked  about  company  revenue, 
24%  reported  annual  company  revenue  of 
less  than  $100  million,  and  25%  reported 
revenue  between  $100  million  and  $999.9 
million.  Fifty-one  percent  reported  company 
revenue  greater  than  $1  billion. 

-Lorraine  Cosgrove  Ware 


more  respondents  also  indicated  that  they  knew  the  budgets  for 
both  IT  and  corporate  security,  suggesting  an  increased  crossover 
between  the  disciplines. 

At  the  financial  services  company  where  Cullinane  is  CISO,  for 
instance,  although  the  two  security  departments  still  remain  large¬ 
ly  separate,  the  investigations  groups  have  combined  resources. 
“There  are  too  many  opportunities  for  cost  savings  in  synergies  like 
that”  not  to  take  advantage  of  them,  Cullinane  says.  “I  think  that’s 
the  kind  of  thing  that’s  going  to  drive  [this  convergence].” 

Either  way,  security  is  security.  And  here’s  more  good  news:  It 
looks  as  if  managers  are  starting  to  get  it.  Last  year,  only  18  percent 
of  respondents  indicated  that  managers  at  all  levels  of  the  organ¬ 
ization  understood  their  roles  and  responsibilities  in  regard  to 
security.  This  year,  almost  half  said  that  this  was  the  case.  That’s 
right:  The  number  jumped  from  18  percent  to  45  percent.  “That  just 
means  to  me  that  the  CSO  is  doing  his  job,  as  far  as  security  aware¬ 


ILLUSTR ATI0N  BY  HARRY  CAMPBELL 


ness  and  programs,”  says  Tracy  Lenzner,  president  and  founder  of 
executive  recruiting  company  LenznerGroup,  who  indicates  that 
what  was  once  an  employer’s  job  market  is  leveling  out.  "That’s 
proof  in  the  pudding,”  she  says.  “CSO  is  not  just  a  title.” 

All  of  which  isn’t  to  say  your  work  is  done.  Far  from  it.  While 
managers  may  be  starting  to  understand  security,  the  struggle  has 
intensified  to  keep  senior  management  support  from  wavering  as 
memories  of  9/11  fade.  Only  28  percent  of  respondents  agreed 
that  security  was  a  routine  part  of  their  company’s  business 
processes,  down  from  33  percent  in  2003.  More  disturbing,  only 
25  percent  reported  that  security  was  viewed  as  essential  to  busi¬ 
ness  (instead  of  just  an  overhead  cost),  compared  with  40  percent 
last  year.  Which  presents  a  seeming  contradiction:  Line  managers 
are  getting  it,  but  senior  managers  aren’t.  And  all  the  while,  budg¬ 
ets  and  salaries  are  increasing.  An  optimistic  read  is  that  CSOs 
have  higher  expectations  of  what  precisely  “senior  management 


June  2004  www.csoonline.com  31 


Building  the  future  CSO 


CSOs  Are  Taking  Small  But  Important  Steps 


Security  execs  are  getting  more 

C-level  titles  in  2004... 


cso,  ciso,  CRO 

or  VP  title 


...and  salaries  are  inching  up. 


Less  than  $100K 


$100K  to  $150K 


$150K  to  $250K 


More  than  $250K 


2003 

2004 


Fewer  CSOs  are  coming  from  IT 
and  more  from  corporate  security. 


IS/IT 


Military 


Corporate  security 


Business  operations 


Law  enforcement 


Audit 


Legal 


Other 


...and  more  are  getting  a 

security  certification. 


CISSP 


CISA 


20% 


k 


5% 

10% 


support”  entails.  But  we  suspect  that  many 
CSOs  are  still  getting  caught  in  that  old  secu¬ 
rity  trap:  If  nothing  bad  happened,  then  why 
are  they  necessary? 

“It  may  be  that  some  of  the  support  has 
waned,”  says  Pamela  Fusco,  CISO  for  Digex 
and  CSO  for  MCI’s  security  solutions— not  an 
admission  she  makes  lightly.  Fusco  is  such  a 
security  booster  that  she  insists  the  CISO  role 
will  eventually  swallow  up  the  CIO  role.  How¬ 
ever,  “security  is  a  tough  business,”  she  admits. 

‘You’re  hated  when  there’s  an  attack,  and  when 
you’re  safe,  you’re  not  acknowledged.  People 
take  you  for  granted.” 

And  here  is  where  the  real  work  remains  to  be  done— in  getting  out 
of  this  hamster  wheel  and  making  a  business  case  for  security.  The 
trick  and  the  challenge,  CSOs  say,  is  learning  to  speak  the  language 
of  business.  You’ve  gotta  be  able  to  talk  money.  “Historically,  we  have 
a  mind-set  that  security  is  inherently  good,”  says  David  Saenz,  vice 
president  of  worldwide  security  at  Levi  Strauss  &  Co.  and  second 
vice  president  of  the  International  Security  Management  Associa¬ 
tion.  “As  a  practitioner,  I  understand  that,  but  objectively,  if  I  put 
myself  in  the  role  of  the  senior  management  committee,  I  have  a  lot 
of  people  telling  me  that  what  they  want  to  do  is  inherently  good.  I’ll 
have  to  be  convinced  to  say  ‘yes’  to  you  and  ‘no’  to  somebody  else.” 

That’s  why  Saenz  is  involved  with  security  leadership  programs  at 
both  Georgetown  University  and  Northwestern’s  Kellogg  School  of 
Management.  “We’re  trying  to  give  people  that  language  skill  set,”  he 


CPP 


2% 

9% 


2003 

2004 


One  in  five  companies  has 
consolidated  infosec  and 
corporate  security... 


Infosec 

only 


Corporate  and 
infosec 
combined 


6%  Other 


23% 


h  ■  Corporate 
®  security 

only 


...and  budgets  are  on  the  rise. 

Infosec 


Corporate 

security 


Less  than  $250K 


$250K to  $1M 


25% 

39% 

21% 

26% 

14' 


$1M  to  $5M 


More  than  $5M 


13% 

1% 


15% 


■  2003 

■  2004 


CSO 


V 

1 12% 


RESEARCH 


says.  “Actions  speak  louder  than  words.”  And, 
rather  than  talking  philosophically  about  why 
they  ought  to  be  allowed  into  the  boardroom, 
CSOs  need  to  start  earning  their  way  in. 

As  we  all  know,  there’s  little  historic  precedent  for  the  CSO.  These 
positions  could  disappear  as  quickly  as  they  have  appeared.  Seventy- 
five  percent  of  CSOs  responded  that  they  are  the  first  person  to  hold 
the  title  at  their  company.  Only  17  percent  of  respondents  said  their 
senior  management  views  the  security  leader  role  as  a  strategic— and 
permanent— function;  among  executive-level  security  practitioners, 
that  number  drops  to  10  percent.  It’s  up  to  you  to  change  their  minds. 

We  never  said,  dear  reader,  that  it  would  be  easy.  ■ 

Senior  Editor  Sarah  D.  Scalet  can  be  reached  at  sscaleW  cxo.com.  Additional  reporting  for 
this  story  was  done  by  Lorraine  Cosgrove  Ware,  CSO’ s  research  editor. 


The  Ins  and  Outs  of  Security  Leadership 


Read  CSO's  primer  on  security  management,  "The  ABCs  of  New  Security  Leadership.” 

Go  to  www.csoonline.com/printlinks  to  find  the  article  online. 


32  www.csoonline.com  June  2004 


%  '""'iS.;- ; : 
■  -VS-: 


i  -  ’■  :  .  ... 

-  •■  I ' 

^ :  ■ ' *  -  -  '  '.  (■  ;*■  ■  jy  r'  ft  ■  ’  .  'N1"  •. .  ■  ■  ■ 

■'  V„  :  .  .  '  .  :  .  ■  ' 

'I  • 


cent  n  no 


The  Value  of  Trust 


MOBILE 

TECHNOLOGY 


Mobility  and  security  are  two  words  not  often  used  in  the  same  sentence.  But  now  Intel  and  VeriSign  are  working 
together  to  help  enterprises  make  wireless  computing  safer  and  simpler.  And  make  mobile  professionals  more 
productive.  Intel®  Centrino™  mobile  technology  supports  industry  standard  and  j 

leading  third-party  security  solutions,  such  as  VeriSign’s  Strong  Authentication  Jr  •  • 

Services  and  Digital  Certificates,  to  enable  safer  notebook  connectivity.  So,  security  verioiffn* 
really  does  set  you  free.  Free  from  wires.  Free  from  worry.  Free  to  move  forward.  The  Value  of  Trust N 


To  learn  more  about  Intel  and  VeriSign,  visit  www.SecuritySetsYouFree.com 


©  2003  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  Security  Sets  You  Free,  Security  Intelligence  and  Control,  and  other  trademarks,  service  marks,  and  logos  are  registered  or  unregistered 


trademarks  of  VeriSign  and  its  subsidiaries  in  the  United  States  and  in  foreign  countries.  Intel,  Intel  Centrino,  Intel  Inside,  the  Intel  Centrino  logo,  and  the  Intel  Inside  logo  are  trademarks  or  registered  trademarks  of 
Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries. 


David  Saenz, 

VP  of  worldwide  security  at 
Levi  Strauss  &  Co.,  pays 
attention  to  company  culture 


Building  the  future  CSO 


Survival  of  the  fittest  may  work  in  the  animal  kingdom, 
but  grooming  the  next  generation  of  CSOs  requires  a 
substantia  investment  oftime,  a  s  ncere  interest  in 
employee  deve  opment  and  a  dash  of  humility. 

Are  you  ready  for  succession  planning?  By  Daintry  Duffy 


Percentage  of 
respondents  who  report 
to  the  CEO  or  president 


RESEARCH 


HEN  MCDONALD’S  Chairman  and  CEO  Jim  Cantalupo  died  suddenly 
of  an  apparent  heart  attack  this  past  April,  the  hamburger  chain  was  able  to  do  some¬ 
thing  that  many  companies  would  be  hard-pressed  to  do  in  the  midst  of  the  shock  of 
such  a  loss:  It  immediately  named  a  new  executive  team.  Just  hours  after  Cantalupo’s 
death,  the  McDonald’s  board  of  directors  named  Charlie  Bell  the  company’s  new  CEO, 
a  move  that  soothed  the  nerves  of  the  company’s  jittery  investors  and  employees. 

But  this  was  no  impulse  decision.  When  Cantalupo  came  out  of  retirement  to  take  the 
reins  of  the  fast-food  giant  more  than  a  year  ago,  he  requested  that  Bell  be  named  COO 
so  that  he  could  groom  him  to  eventually  take  over  the  top  spot.  Cantalupo  understood 
that  his  legacy  at  the  company  would  be  judged  by  more  than  the  number  of  new  items 
added  to  the  menu.  It  would  be  measured  by  how  he  prepared  his  successor  and  the 
smoothness  of  the  transition  of  power. 

Leaders  often  wrestle  with  the  task  of  grooming  a  successor,  and  history  is  rife  with 
stories  of  succession  planning  gone  awry.  Recent  tales  of  Michael  Eisner’s  travails  at 
Disney  show  the  hazards  of  having  no  succession  plan  whatsoever— although  he 
claimed  to  have  an  emergency  envelope  tucked  inside  his  desk  containing  the  identity 
of  his  handpicked  replacement.  But,  in  reality,  Eisner  drove  so  many  of  his  would-be 
successors  out  of  the  company  that,  after  ousting  him  as  chairman,  the  Disney  board  is 


PHOTO  BY  JAY  BLAKESBERG 


June  2004  www.csoonline.com  35 


Building  the 


future  CSO 


still  actively  working  on  building  a  real  succession  plan. 

And  it’s  not  just  a  part  of  disaster  planning.  As  talented  executives 
and  managers  graduate  to  larger  leadership  roles,  they  vacate  posi¬ 
tions  that  need  to  be  filled  by  equally  gifted  people.  As  a  result,  exec¬ 
utive  succession  planning  has  become  a  staple  of  corporate  due 
diligence. 

A  study  by  executive  search  firm  Korn/Ferry  International  found 
that  succession  planning  programs  are  on  the  rise:  Only  33  per¬ 
cent  of  American  boards  of  directors  reported  having  a  CEO  succes¬ 
sion  plan  in  place  in  2001,  but  by  2003  that  number  had  jumped  to 
77  percent.  “We’re  clearly  seeing  more  emphasis  placed  on  things 
like  business  continuity  planning,”  says  Mark  Polansky,  managing 
director  and  member  of  the  Advanced  Technology  Practice  at 
Korn/Ferry's  New  York  office.  “But  it’s  not  only  about  physical  secu¬ 
rity,  cybersecurity  and  losing  electrical  power,”  he  says,  “9/11  taught 
us  it’s  also  about  losing  people.  [Succession  planning]  is  conse¬ 
quently  becoming  a  more  prominent  and  practiced  art.” 

Although  a  CEO’s  successor  gets  the  most  media  attention,  a  suc¬ 
cession  plan  should  be  in  place  for  all  of  a  company’s  top  executives, 
including  the  CSO.  “If  you  lose  one  or  two  senior  executives,  it’s  a 
domino  effect  that  impacts  a  whole  series  of  people,”  says  John 
Bruckman,  managing  director  of  the  Change  Management  Group,  a 
consultancy  staffed  by  industrial  and  organizational  psychologists. 
“You  want  to  replace  those  people  from  within,  and  you  want  some¬ 
one  to  seamlessly  step  in  and  take  over  as  if  nothing  happened.  You 
should  have  two  to  three  successor  candidates  for  every  key  posi¬ 
tion,”  he  advises. 

We  spoke  with  CSOs  and  management  consultants  to  glean  their 
perspective  on  the  challenges  and  benefits  of  developing  a  succes¬ 
sion  plan  for  the  CSO.  We  present  their  tips  for  growing  security 
leaders  who  will  ably  guide  your  team  into  the  future,  and  we  show 
you  why  attention  to  succession  planning  can  make  your  tenure  as 
the  CSO  even  more  secure. 

Don’t  Fear  the  Reaper 

Executives  often  delay  succession  planning  or  give  the  process  short 
shrift  for  the  same  reason  that  people  put  off  drawing  up  a  will;  it’s 
uncomfortable  to  think  about  death  and  dying.  In  the  corporate 
world,  creating  a  succession  plan  raises  the  equally  feared  specters 
of  layoffs  or  retirement.  It  takes  guts  to  tackle  the  issue  head  on. 

A  succession  plan  is  more  than  a  document  containing  the  secret 
identity  of  your  company’s  next  CSO.  It  is  a  living  mission  statement 
that  puts  into  writing  the  attributes  that  future  security  leaders  must 
have.  It  also  includes  the  development  and  training  programs 
needed  to  nurture  successors  and  a  methodology  for  ensuring  man¬ 
agement’s  accountability  to  the  plan. 

A  succession  plan  does  not  necessarily  have  to  name  an  actual 


successor,  although  most  CSOs  we  spoke  with  have  candidates  in 
mind  that  they  have  discussed  with  senior  management.  “The  indi¬ 
vidual’s  identity  is  confidential  to  the  point  where  it  needs  to  be 
announced,”  says  David  Burrill,  head  of  group  security  for  British 
American  Tobacco.  “If  you  nominate  someone  too  early,  he’ll  think 
that  what  he  does  in  the  future  doesn’t  matter.”  Instead,  Burrill 
wants  to  keep  his  candidates  hungry  for  the  position.  “[My  candi- 
dates]  will  know  that  they’re  doing  well,  that  they  are  highly 
regarded  and  will  almost  certainly  know  they’re  in  the  running  for 
the  job.  But  if  there  is  only  one  person  in  the  running,  if  there  isn’t  a 
sense  of  competition,  we  have  a  problem.” 

The  transparency  of  the  process  depends  largely  on  the  corporate 
culture  that  you’re  working  within.  Many  companies  keep  their  can¬ 
didate  list  completely  confidential,  sharing  it  only  with  top  manage¬ 
ment  for  fear  that  the  process  will  become  too  political  or  open  the 
department  up  to  be  cherry-picked  by  headhunters.  Other  compa¬ 
nies  make  selecting  executive  successors  a  more  open  process  where 
each  candidate  gets  an  annual  or  biannual  review  indicating  what 
he  needs  to  do  to  prepare  himself  to  take  on  the  CSO  role.  Regard¬ 
less  of  which  method  you  choose,  the  criteria  for  the  CSO  role 
should  not  be  treated  like  a  trade  secret.  If  you  want  employees  to 
aspire  to  be  future  security  leaders,  they  have  to  understand  the 
standards  and  expectations  against  which  they  will  be  judged. 

The  goal  for  Burrill  and  for  many  of  the  CSOs  we  interviewed  is 
to  build  a  succession  plan  that’s  so  solid  that  they  never  have  to  look 
outside  the  company  for  a  security  executive  candidate.  “If  we  got  it 
right,  we  should  be  able  to  home  grow  our  own  head  of  security,” 
says  Burrill.  “If  we  had  to  go  out  to  the  public  sector  [to  hire  candi¬ 
dates],  I  would  consider  it  a  failure  because  they  would  have  to 
adjust  to  our  business  environment  and  quite  a  lot  of  them  never 
will.  Over  time  that  can  cripple  an  entire  function.” 

Plan  from  the  Top... 

A  good  succession  plan  should  be  two  things:  mandated  from  the 
top  down  and  then  built  from  the  bottom  up.  Management  support 
and  leadership  are  critical  to  validating  the  plan  and  creating 
accountability.  Sound  recruitment  and  retention  policies  are  crucial 
to  bringing  good  people  into  the  system. 

Few  CSOs  have  the  luxury  of  choosing  their  successors  without  a 
good  deal  of  input  from  management,  so  it’s  important  that  the 
process  is  steered  by  corporate  leadership.  “It  has  to  be  driven  from 
the  top,  by  the  board  of  directors,  the  chairman  and  the  CEO.  It 
can’t  be  driven  by  the  CSO,”  says  Bruckman.  “All  he  can  do  is  make 
a  really  good  case  for  one  particular  candidate.” 

At  Merck,  CEO  Ray  Gilmartin  is  within  two  years  of  retirement 
and  has  set  an  example  of  succession  planning  for  his  management 
team  by  announcing  that  his  successor  will  come  from  within. 


36  www.csoonline.com  June  2004 


Gilmartin  has  stressed  the  importance  of 
developing  leaders  internally  by  acknowledg¬ 
ing  that  when  he  was  brought  in  from  the 
outside  in  1994  it  was  far  more  disruptive  to 
the  organization  than  an  internal  appoint¬ 
ment  would  have  been.  Merck  CSO  Bob 
Moore  believes  that  Gilmartin’s  strategy 
applies  equally  to  the  security  function. 

“There  is  a  lot  of  disruption  when  you  bring 
someone  in  from  the  outside  to  head  up  secu¬ 
rity.  And  to  be  brutally  frank,  if  a  company 
doesn’t  develop  from  within,  it  points  to  a 
lack  of  planning  on  its  part.” 

At  British  American  Tobacco,  succession 
plans  are  mandated  throughout  the  com¬ 
pany,  and  tied  to  the  organization’s  career 
development  meetings  (CDMs)  that  take  place  between  all  employ¬ 
ees  and  their  managers.  CDMs  address  an  employee’s  performance 
as  well  as  his  potential  and  identify  individuals  with  leadership 
prospects.  Once  a  year,  Burrill  meets  at  corporate  headquarters  in 
London  with  a  member  of  the  board  and  a  senior  executive  from 
human  resources  to  discuss  employees  within  security  who  are  pre¬ 
pared  to  succeed  into  senior  executive  positions.  This  ensures  that 
Burrill’s  hottest  prospects  are  discussed  with  senior  management 
while  keeping  him  accountable  for  their  continued  development 
and  progress. 

...And  Build  from  the  Bottom 

On  the  other  side  of  the  spectrum,  CSOs  need  to  be  diligent  about 
attracting  individuals  with  leadership  potential  into  security  and 
making  it  appealing  for  them  to  stay  on  and  build  careers  there. 
The  problem  is  that  managers  and  executives  tend  to  value  people 
who  are  like  them,  says  James  Redeker,  chairman  of  the  Employ¬ 
ment  Services  Practice  Group  at  law  firm  Wolf,  Block,  Schorr  and 
Solis-Cohen.  And  that  fact  is  often  reflected  in  hirings  and  promo¬ 
tions.  This  can  be  particularly  true  in  security  organizations,  which 
tend  to  be  populated  by  people  with  similar  backgrounds  such  as 
law  enforcement,  three-letter  government  agencies  and  informa¬ 
tion  security. 

“The  danger  is  that  you  start  to  create  clones,”  says  Burrill.  “If 
everyone  is  trained  the  same  way  and  everyone  agrees  with  each 
other,  then  nobody  is  going  to  ask  the  rogue  questions.”  Burrill  val¬ 
ues  a  staff  with  diverse  backgrounds.  “We  want  our  security  man¬ 
agers  to  come  from  the  military,  from  law  enforcement  and  the  state 
department.  We  want  some  to  be  brought  up  through  the  business 
side  and  some  who  have  never  been  in  any  of  those  groups.  They  all 
blend  together  to  create  a  pot  of  gold,”  he  says. 


“If  you 
nominate 
someone  too 
early,  he’ll 
think  that 
what  he  does 
in  the  future 
doesn’t 
matter.” 

-DAVID  BURRILL,  HEAD  OF 
GROUP  SECURITY  FOR 
BRITISH  AMERICAN  TOBACCO 


Building  your  own  leaders  also  presents 
some  unique  challenges  in  the  security  world. 
Unlike  other  business  units,  security  tends  to 
be  small  and  there  are  limited  opportunities 
to  break  into  management.  Consequently, 
part  of  the  price  of  building  a  strong  succes¬ 
sion  plan  with  solid  future  CSO  candidates  is 
that  you  have  to  be  willing  to  lose  them.  “Most 
security  organizations  are  lean  and  mean 
until  you  get  to  the  major  companies,”  says 
Bill  Wipprecht,  CSO  of  Wells  Fargo.  He 
believes  in  cross-training  his  people  to  ensure 
that  they  have  the  leadership  skills  that  will 
prepare  them  to  take  over  when  somebody 
leaves  or  retires.  But  he  acknowledges  that 
sometimes  those  opportunities  will  come  up 
at  another  company  before  they  do  at  Wells  Fargo.  “If  somebody 
comes  to  me  and  says  he’s  going  to  be  security  director  at  another 
company,  that  makes  me  proud,”  he  says.  “I  don’t  mind  promoting 
people  out  like  that  because  it’s  a  positive  thing  for  the  industry.” 

However,  timing  can  also  work  in  a  company’s  favor.  Jim  Christ¬ 
ian,  vice  president  and  head  of  corporate  security  and  aviation  at 
Novartis,  has  had  employees  leave  for  a  better  opportunity  with  a 
competitor,  and  then  three  years  later  a  position  will  open  up  and 
Novartis  can  lure  that  individual  back.  “A  lot  of  it  is  timing;  some¬ 
times  we  have  the  person  and  not  the  position,”  says  Christian. 

Derrick  Barton,  cofounder  of  the  Center  for  Talent  Retention, 
suggests  that  CSOs  who  want  to  hold  onto  their  best  people  should 
consider  creating  career  opportunities  rather  than  waiting  for  posi¬ 
tions  to  open  up.  This  can  mean  designing  a  special  assignment  for 
someone  who  wants  to  build  his  or  her  skills  in  a  particular  area  of 
security.  Thus,  employees  who  are  hungry  for  development  can  get 
it  without  necessarily  being  appointed  to  a  new  job.  “Make  it  a  role 
that  the  person  can  execute  and  be  compensated  for,”  says  Barton. 
“There  doesn’t  have  to  be  a  ton  of  hierarchy  for  something  to  be  a 
career-opportunity  trigger.” 

The  simple  act  of  letting  a  person  know  that  she  is  well  thought  of 
is  also  important  to  employee  retention.  “I  can’t  tell  you  how  many 
high  performers  were  delivering  great  work,  but  no  one  ever  told 
them.  They  decide,  ‘I’m  out  of  here,”’  says  Barton.  “Once  that  hap¬ 
pens,  there’s  a  very  high  correlation  with  those  people  actually  leav¬ 
ing,  and  they  will  deliver  high  performance  until  the  moment  they 
walk  into  your  office  and  say  they’re  moving  on.”  CSOs  can’t  put  off 
these  discussions,  or  they  will  find  their  best  replacement  candidates 
slowly  trickling  out  of  the  corporation. 

On  a  positive  note,  one  employment  trend  benefiting  CSOs  is  that 
the  decade  of  the  freelance  nation  is  over.  Employees  are  no  longer 
as  interested  in  hopping  from  one  company  to  another  as  they  were 


June  2004  www.csoonline.com  37 


Building  the  future  CSO  ^ 


in  the  ’90s.  The  desire  for  stability,  and  the  opportunity  to  build  a 
career  at  a  single  company,  is  more  valued  at  this  point. 

Define  the  Role 

When  succession  plans  do  exist,  they  are  often  based  on  the  wrong 
criteria.  Performance  evaluations  can  identify  talented  people 
within  your  group,  but  they  are  records  of  an  individual’s  past 
accomplishments.  A  good  succession  plan  should  be  based  on  the 
skills  and  values  that  will  define  the  CSO  role  in  the  future.  The 
executive  that  has  been  a  corporate  superstar  for  the  past  15  years  is 
not  necessarily  the  best-equipped  leader  for  the  challenges  that  are 
sure  to  arise  in  the  next  decade.  CSOs  who  embark  upon  succession 
planning  must  first  consider  what  the  defining  characteristics  of  the 
future  security  executive  will  be. 

The  first  quality  often  cited  is  the  necessity  of  fitting  in  with  the 
organizational  culture.  This  can  be  especially  important  in  the  secu¬ 
rity'  realm  where  success  is  highly  dependent  on  the  ability  to  change 
people’s  behavior.  David  Saenz,  vice  president  of  worldwide  security 
at  Levi  Strauss  &  Co.,  is  involved  with  the  International  Security 
Management  Association  (ISMA)  Leadership  Program,  a  yearlong 
executive  development  and  leadership  seminar  for  potential  CSOs 
held  at  Georgetown  University.  He  often  coaches  students  to  pay 
attention  to  an  organization’s  culture  when  they  interview  for  a  top 


limited  resources,  and  without  speaking  the  language  of  financial 
impact  and  ROI,  his  batting  average  will  be  poor.  “If  you  want  to  be 
a  plumber,  you  learn  the  language  of  a  plumber.  Likewise,  you  have 
to  learn  talk  the  language  of  business— which  is  money,”  says  Saenz. 

CSOs  also  need  a  battery  of  less  tangible  skills  to  be  successful: 
initiative,  imagination,  the  flexibility  to  roll  with  business  changes, 
and  an  understanding  of  and  social  proficiency  with  cultures  outside 
of  the  United  States.  “Security  is  driven  by  the  social  and  political 
realms  as  well  as  economics,  and  you  have  to  have  those  different 
skills,”  says  Moore.  “Security  professionals,  in  addition  to  being  spe¬ 
cialists,  have  to  be  generalists  with  special  skills.” 

Develop  High  Performers 

Once  you  identify  the  skills  that  you  want  your  security  executive 
candidates  to  have,  the  next  challenge  is  to  create  the  opportunities 
and  experiences  that  will  inculcate  those  qualities  into  your  leader¬ 
ship  pool.  Often  this  means  pushing  your  most  talented  people  out¬ 
side  their  area  of  expertise  to  see  if  they  sink  or  swim. 

Communication  skills  are  critical  to  a  CSO  and  will  only  become 
more  important  as  the  security  function  grows  in  prominence.  Wip- 
precht  agrees  that  a  CSO  candidate  must  have  the  right  technical 
skills.  But  getting  to  the  top  also  requires  people  skills— especially 
the  ability  to  communicate  with  management.  “You’ve  got  to  expose 


“If  you  want  to  be  a  plumber,  you  learn  the 
language  of  being  a  plumber.  Likewise, 
you  have  to  learn  to  talk  the  language  of 
business — which  is  money.”  SAENZ 


security  job.  “We’ve  had  people  that  have  interviewed  for  positions 
[at  Levi  Strauss],  and  they  had  all  the  skills.  But  in  terms  of  the  fit 
and  the  culture,  they  wouldn’t  have  been  in  sync.” 

Cultural  sensitivity  and  fitting  in  have  to  be  married  with  the 
political  and  business  savvy  that  security  departments  have  histori¬ 
cally  lacked.  Security  has  often  been  perceived  as  the  “dark  shadow,” 
notes  Moore,  in  the  sense  that  it  is  closeted  away  from  the  rest  of  the 
organization,  creating  the  illusion  that  it  is  somehow  different  from 
other  business  units. 

It’s  a  problem  that  Saenz  still  sees  in  the  writing  projects  done  by 
would-be-CSO  students.  “The  papers  fail  to  link  security  work  to  the 
strategic  objectives  of  the  business,”  he  says.  “There  is  a  lack  of  a 
sound  financial  analysis,  other  than  saying  we  should  do  this 
because  security  is  inherently  good.” 

A  company’s  CSO  is  just  one  of  many  executives  competing  for 


your  future  talents  to  management,”  says  Wipprecht.  “Management 
has  to  get  to  know  you  on  a  personal  basis,”  he  says. 

Moore  goes  a  step  further,  encouraging  his  top  security  managers 
to  interact  regularly  with  senior  executives  to  eliminate  some  of  the 
natural  deference  to  seniority  that  often  exists.  “You  have  to  move 
outside  your  comfort  zones  in  order  to  prepare  for  those  big  steps.” 

Ensuring  that  their  top  performers  get  business  and  management 
exposure  can  also  give  CSOs  valuable  insight  into  their  abilities. 
Moore  gets  feedback  from  the  line-of-business  clients  and  stake¬ 
holders  with  whom  his  people  interact  twice  a  year.  He  feeds  infor¬ 
mation  about  their  strengths  and  weaknesses  back  into  the 
succession  planning  funnel  to  determine  their  progress  and  the 
areas  where  they  may  need  improvement. 

Giving  employees  global  exposure  is  also  critical.  Merck  is  part  of 
the  Customs-Trade  Partnership  Against  Terrorism  (C-TPAT),  a 


38  www.csoonline.com  June  2004 


“To  be  brutally  frank, 
if  a  company  doesn’t 
develop  from  within, 

it  points  to  a  lack  of 
planning  on  its  part.” 

-BOB  MOORE,  CSO  OF  MERCK 


suit  of  appropriate  certifications  can  also 
ensure  that  your  staff  keeps  learning  and  devel¬ 
oping  the  right  skills  for  the  future.  (For  more  on 
education,  see  “Feather  Your  Nest,”  Page  40.) 


joint  initiative  between  the  U.S.  government  and  businesses  to  pro¬ 
tect  the  security  of  cargo  entering  the  United  States.  And  with  far- 
flung  operations  around  the  world,  it’s  important  that  Merck’s 
security  executives  have  a  global  perspective.  To  that  end,  Moore  is 
sending  three  global  staff  members  to  Europe,  along  with  a  senior 
security  executive,  to  work  on  C-TPAT  compliance  issues.  Aside 
from  the  project  work,  his  other  motives  are  to  give  these  employees 
some  valuable  experience,  and  to  see  how  these  three  individuals 
will  fare.  “I’ll  get  an  assessment  of  who  adapted  better  to  working  in 
a  non-U.S.  environment  and  how  they  dealt  with  jet  lag,  language 
issues,  the  vagaries  of  international  travel  and  business.  You  have  to 
do  these  things  to  give  them  a  360-degree  view  of  the  world  and  the 
company.  They  won’t  get  that  unless  they  get  out  there  and  mix  with 
other  regions  and  people.” 

Establishing  mentoring  and  coaching  relationships  is  another 
way  to  build  employee  skill  sets,  whether  you  are  setting  security 
managers  up  with  executive  coaches  or  with  each  other.  Barton  sug¬ 
gests  a  practice  that  he  calls  “talent  networking,”  where  high-per¬ 
forming  employees  identify  two  skills  that  they  feel  are  their 
strengths  and  two  that  could  use  further  development.  High-per¬ 
formers  are  then  matched  up  by  complementary  strengths  and 
weaknesses  to  create  mentoring  relationships  that  enable  them  to 
grow  in  the  areas  they  need  to  while  leveraging  their  own  expertise 
to  help  someone  else. 

Leadership  opportunities  don’t  just  exist  in  the  corporate  setting. 
Saenz  encourages  his  Levi  Strauss  security  staff  to  create  their  own 
leadership  experiences  in  everyday  life,  noting  that  the  political 
dynamics  of  the  corporate  world  aren’t  always  conducive  to  a  good 
learning  environment.  He  advises  CSOs  to  encourage  their  people  to 
“look  for  opportunities  to  practice  leadership  in  the  community. 
Whether  it’s  with  a  nonprofit,  serving  on  the  city  council  or  on  a 
board  of  directors,  those  experiences  will  broaden  their  horizons,” 
says  Saenz.  It’s  no  different  than  learning  any  other  kind  of  activity 
or  skill;  the  key  is  practice.  “I  take  a  piano  lesson  every  Saturday,”  he 
says,  “and  if  I  don’t  practice,  it’s  not  a  lot  of  fun  when  I  see  the 
teacher.  But  if  I  work  a  little  bit  every  day,  then  next  time  I  sit  down 
with  the  teacher,  I’m  ready  to  move  on  to  another  level.” 

Finally,  to  develop  their  leaders,  CSOs  can  focus  on  the  growing 
number  of  educational  programs  springing  up  that  address  the 
needs  of  would-be  security  executives.  Programs  like  the  ISMA 
Leadership  course  at  Georgetown  are  building  their  syllabi  around 
the  future  skills  that  will  be  essential  for  CSOs.  Encouraging  active 
membership  in  groups  like  ISMA  and  ASIS,  and  the  continued  pur- 


Create  Accountability 

If  it  hasn’t  occurred  to  you  already,  leadership  development  is 
almost  a  full-time  job  in  itself.  Even  CSOs  who  are  serious  about 
succession  planning  acknowledge  that  it’s  often  difficult  to  find  time 
to  stay  on  top  of  it.  Saenz  tries  to  meet  once  a  month  with  each  of  his 
direct  reports  to  check  in  with  them,  although  sometimes  his  work¬ 
load  makes  that  impossible. 

At  Wells  Fargo,  Wipprecht’s  biggest  complaint  about  the  com¬ 
pany’s  succession  planning  and  Talent  Review  process  is  the  time  it 
takes  to  get  through  what  he  calls  the  bureaucracy.  He  has  to  assess 
each  direct  report,  his  current  abilities  as  a  security  agent  and  what 
he  needs  to  do  in  the  next  year  to  move  up  in  the  management  hier¬ 
archy.  The  Talent  Review  then  informs  the  succession  plan.  “It  takes 
a  lot  of  time,”  says  Wipprecht.  “I  have  to  think  about  each  individ¬ 
ual,  what  he  does  well  and  what  we  can  give  him  to  create  a  better 
organization  one  year  from  today.” 

Building  (and  then  consistently  updating)  targeted  growth  plans 
for  each  employee  makes  it  easier  to  keep  track  of  individual 
progress  and  to  keep  a  succession  plan  alive.  The  danger  with  suc¬ 
cession  planning  is  that  good  intentions  can  succumb  to  the  every¬ 
day  pressures  of  the  CSO  workload.  “Two  out  of  three  companies 
just  have  a  bunch  of  development  crap  wTapped  in  their  succession 
plan  that  doesn’t  add  value,”  says  Barton. 

Though  Wipprecht  laments  the  amount  of  work  that  goes  into 
succession  planning,  he  crows  over  its  results.  “I  have  four  directors, 
and  any  one  of  the  four  is  smarter  than  I  am  and  can  do  a  better  job 
than  I’m  doing,”  he  says.  “But  that  drives  them  on.  They  work  hard 
eveiy  day  and,  from  a  competitive  standpoint,  all  four  know  they 
have  an  opportunity  at  this  position.” 

The  lesson  is  simple:  Treat  succession  planning  as  a  regular  part 
of  operations,  and  the  benefits  will  go  far  beyond  the  security  of 
knowing  that  the  future  leadership  of  your  business  unit  is  assured. 
Your  tenure  as  CSO  will  also  be  a  more  successful  one.  ‘You’ll  have 
a  stronger  organization  with  a  lot  more  loyalty  and  buy-in  from  peo¬ 
ple,”  says  Moore.  “And  at  the  back  end,  you’re  going  to  put  out  a  bet¬ 
ter  and  more  professional  product  for  senior  management.”  ■ 

E-mail  feedback  to  Senior  Editor  Daintry  Duffy  at  dduffy#cxo.com. 


Tell  Us  What  You  Think 

Does  your  company  have  a  succession  plan?  Type  the  DocID  number  (above)  into  the 
search  box  at  www.csoonline.com  to  find  this  article  online.  Then  share  how  succession 
planning  works  in  your  organization  by  adding  a  comment  at  the  end  of  the  article. 


PHOTO  BY  MARK  VAN  S 


June  2004  www.csoonline.com  39 


Building  the  future  CSO  0  G 


While  certifications  are  great,  they  won't  get  you 
into  the  boardroom.  But  one-stop  shopping  for  a 
security  education  isn’t  there  yet.  It’s  up  to 

CSOs  to  help  change  al  that.  By  Kathleen  S.  Carr 


OLLEGE  IS  GOOD.  You  get  everything  you 
need  in  one  place.  Classes.  Peer  networking.  A  meal  plan. 
And  a  degree  that  proves  you’re  qualified.  But  for  the  secu¬ 
rity  executive,  college  is  not  good— well,  not  good  enough, 
anyway.  Yet.  Because  right  now,  there’s  no  one  degree  that 
will  land  you  a  C-level  security  job.  In  fact,  CSO  might  be 
the  last  executive-level  position  that  requires  you  to  cobble 
together  your  own  education.  “For  new  folks,  the  training 
ground  doesn’t  yet  exist,”  says  Howard 
Schmidt,  CISO  of  eBay.  “There  is  no  CSO 
institute.  And  colleges  offer  only  an  a  la 
carte  menu.” 

Today  there’s  no  one  place  for  you  to 
get  your  CSO  credentials.  “The  job 
description  and  skill  set  requirements 
are  still  in  draft  form,”  Schmidt  says. 

And  that  job  description  keeps 
expanding.  A  full-blown  CSO  position 
now  includes  such  diverse  security  sta- 

c  s  o 


pies  as  video  surveillance  and  network  intrusion  detec¬ 
tion;  but  it  also  encompasses  risk  measurement  and  analy¬ 
sis,  regulatory  compliance,  outsourcing,  workplace  violence 
and  homeland  security. 

To  put  your  current  career  on  hold  while  embarking  on 
any  postgraduate  program  is  daunting  enough— and  where 
would  you  find  such  a  broad-ranging  curriculum?  Acade¬ 
mia  seems  poised  to  develop  programs,  but  so  far,  the  pace 
is  slow.  You  need  to  go  to  one  place  for 
your  security  expertise  and  another  for 
risk  management  training— not  an  easy 
thing  for  the  professional  to  do. 

The  information  security  community 
may  be  a  bit  further  along  when  it  comes 
to  advanced  academic  degrees  appropri¬ 
ate  to  executive-level  security  leadership. 
In  fact,  several  programs  offering  an  MBA 
in  information  assurance  are  under  devel¬ 
opment.  (For  more  on  academic  pedi- 


Percentage  of  CSOs  and 
CISOs  who  are  the  first 
to  hold  the  title  at  their 
company 

75% 


RESEARCH 


ILLUSTRATION  BY  HARRY  CAMPBELL 


June  2004  www.csoonline.com  41 


Building  the  future  CSO 


grees  in  corporate  and  physical  security,  see  “On-the-Job 
Training,”  Page  43.)  Many  CISOs  emphasize  that  the  ideal 
CSO  skill  set  includes  a  strong  technology  background 
coupled  with  a  strong  business  sense.  CSOs  need  to  com¬ 
bine  an  understanding  of  risk  management  and  gover¬ 
nance  with  an  awareness  of  legal  and  regulatory  issues,  and 
they  need  to  know  their  audience,  says  Steve  Katz,  presi¬ 
dent  of  Security  Risk  Solutions.  “It’s  a  C-level  job.  And  if 
we  lose  sight  of  that,  we  lose  sight  of  the  position  we  are 
filling.” 


Campus  Security 


Getting  There  From  Here 

It  was  1999,  and  John  Petrie  was  the  technical  services 
manager  at  Sprint.  Petrie  began  his  career  with  a  bache¬ 
lor’s  degree  in  international  studies  and  military  intelli¬ 
gence,  but  came  to  a  crossroads  the  day  his  boss  doubted 
his  aspirations.  The  boss  told  Petrie  he’d  never  rise  to  the 
executive  level  because  security  personnel  didn’t  under¬ 
stand  the  business.  Today,  however,  Petrie  is  the  CISO  of 
the  University  of  Texas  Health  Science  Center  at  San 
Antonio.  He  had  plenty  of  technical  skills,  certifications 
and  experience.  “But  I  didn’t  have  the  business  theory;  the 
know-how  to  do  budgeting  and  accounting,”  he  says.  So  he 
got  an  MBA. 

He  enrolled  in  an  Internet-based  MBA  program  at 
Washington  State’s  City  University,  finishing  his  degree  in 
March  of  this  year.  “I  got  an  MBA  because  I  had  identified 
shortcomings  in  myself,”  says  Petrie.  “With  it  came  the 
ability  to  determine  the  ROI  of  a  project  and  to  brief  other 
executives  on  the  risks  of  such  a  project.” 

Smart  CSOs  know  that  for  security  to  work,  it  has  to  act 
as  a  business  enabler.  “But  security  people  tend  to  be  risk  averse,”  says 
Mary  Ann  Davidson,  Oracle’s  CSO.  “Things  are  either  secure  or  they 
are  insecure.”  Businesspeople,  on  the  other  hand,  are  risk  seekers,  she 
says.  “They  know  that  if  they  don’t  take  risks,  they’re  out  of  business.” 

David  Cullinane,  CISO  of  Washington  Mutual,  agrees.  “To  function 
at  the  C  level,  you  need  to  operate  more  as  a  business  manager;  you 
need  to  understand  business  requirements  and  processes,”  he  says, 
“and  you  need  to  be  able  to  discuss  early  adopter  risk  curves  with  the 
business  managers.  You  don’t  need  to  discuss  firewall  settings  with 
them.” 

For  now,  developing  those  skills  means  blazing  your  own  path. 
Petrie  was  ambitious.  He  got  his  MBA  while  already  serving  as  a 
CISO.  And  following  recommendations  set  forth  by  the  American 
Management  Association  and  the  Association  of  Professionals  in 
Business  Management,  he  also  attended  day  seminars  and  took  busi¬ 
ness  courses  on  the  side  to  improve  his  management  skills— an 
approach  that  might  be  more  feasible  for  those  who  can’t  quit  their 


CARNEGIE  MELLON  already  has  two 
master's-level  programs  that  are  good 
starting  points  for  continuing  education 
for  CISO  wannabes.  Their  Information 
Networking  Institute  offers  a  master  of 
science  in  information  networking, 
which  they’ve  had  in  place  for  15  years, 
and  a  master  of  science  in  information 
security  technology  and  management, 
which  builds  on  an  undergraduate’s 
technical  foundation  and  offers  special¬ 
ized  infosec  and  network  security  along 
with  fundamental  business  courses, 
according  to  Dena  Haritos  Tsamitis, 
associate  director  at  Carnegie  Mellon’s 
Information  Networking  Institute.  The 
first  batch  of  students  from  the  univer¬ 
sity’s  newest  master’s  program  will 
graduate  in  December  2004. 

This  16-month  program  has  four 
main  components:  Three  aim  to  develop 
competency  across  management,  tech¬ 
nology  and  security.  The  fourth  is  a 
graduate  research  project.  Here's  a 
sample  curriculum  for  the  school's  mas¬ 
ter  of  science  in  infosec  technology  and 
management  program. 


Management  component 

■  Information  security  risk 
management 

■  Managerial  economics  and 
business  management 

Technology  component 

■  Introduction  to  telecommunication 
networks  or  packet  switching  and 
computer  networks 

■  Operating  system  design  and 
implementation  or  distributed 
systems 

Security  component 

Introduction  to  computer  security 

plus  (choose  two): 

■  Network  security 

■  Secure  software  engineering 

■  Applied  cryptology 

Graduate  research  component 

Information  Networking  Institute 

graduate  project  and  INI  research 

seminar 


SOURCE:  WWW.INI.CMU.EDU 


day  jobs  to  go  back  to  school. 

The  more  education  the  better,  says  Will  Pelgrin,  director  of  the 
New  York  State  Office  of  Cyber  Security  &  Critical  Infrastructure 
Coordination.  He  stresses  that  if  you  only  have  the  technology  back¬ 
ground  you’ll  need  to  develop  your  management  skills  as  well.  “You’ll 
need  to  grow  into  a  managerial  role,”  he  adds. 

You’ll  also  need  to  then  translate  the  security  needs  to  various 
audience  members,  including  the  CEO,  the  CFO  and  the  marketing 
directors.  “Whether  it’s  through  an  MBA  or  simply  a  significant  num¬ 
ber  of  gray  hairs  in  your  head,  you  must  [learn  to]  translate  the  tech¬ 
nology  to  others,”  says  Katz. 

Stanley  Jarocki,  senior  vice  president  and  ISO  of  The  Bessemer 
Group,  goes  a  step  further.  “When  I  was  young,  I  was  a  geek.  As  I 
matured,  I  had  to  sell  the  ideas  I  created.  So  I  became  a  marketer,”  he 
says.  His  suggestion:  Don’t  just  present  your  ideas,  become  financially 
attached  to  them.  “Then  you’re  part  of  the  budgeting  process,”  he 
says.  “I  now  have  to  put  all  of  those  pieces  together  and  manage  them. 


42  www.csoonline.com  June  2004 


On-the-Job 

Training 


Today’s  security  is  just  as  much  presenta¬ 
tion  as  it  is  implementing.  If  we  don’t  have 
awareness  and  buy-in,  there’s  always  some¬ 
one  who  can  undo  what  we  put  in  place.” 

Jarocki  notes  that  although  risk  manage¬ 
ment  models  differ  across  every  industry, 
he’s  confident  that  the  basic  models  of  risk 
management  can  be  taught.  “If  we  give  stu¬ 
dents  those  models,  they  will  join  the  busi¬ 
ness  world  ready  to  tackle  the  risks,"  he  says. 
“It’d  be  nice  to  do  that  at  the  college  level,  but 
we’re  not  there  yet,”  he  says. 

At  some  point  in  your  career,  you  have  to 
move  from  simply  doing  tasks  to  thinking 
more  broadly  about  them.  “If  nothing  else, 
you  have  to  be  able  to  articulate  the  risk 
issues  in  the  language  of  business,”  says  Bill 
Boni,  vice  president  and  CISO  of  Motorola. 
“And  the  language  of  business  is  not  limited 
to  technology.” 

Boni  is  one  of  the  founding  members  of  a 
new  group  of  security  execs  calling  them¬ 
selves  The  Global  Council  of  CSOs.  In  addi¬ 
tion  to  Schmidt,  Davidson,  Cullinane,  Pelgrin 
and  Katz,  the  group  includes  Rhonda 
MacLean,  director  of  corporate  information 
security  at  Bank  of  America;  Scott  Charney, 
Microsoft’s  chief  security  strategist;  Whit¬ 
field  Diffie,  CSO  of  Sun  Microsystems;  and 
Vint  Cerf,  a  senior  vice  president  at  MCI.  The 
group’s  mission,  according  to  Pelgrin,  is  to 
provide  guidance  both  to  academia  and  to 
the  security  profession  to  shape  the  CSO  role. 

At  the  group’s  first  meeting,  in  November 
2003,  members  worked  on  determining  the 
ideal  CSO  skill  set.  The  challenge,  Boni  says, 
was  to  define  a  framework  for  certification 
and  training.  “We  didn’t  want  to  send  people 
through  a  superficial  orientation,”  he  says. 

It’s  an  idea  that  The  National  Security 
Agency  started  six  years  ago  when  it  began 
dubbing  what  is  now  a  list  of  50  schools  as 
“Centers  of  Academic  Excellence  in  Infor¬ 
mation  Assurance  Education.”  (For  a  list  of 
schools  see  www.csoonline.com/printlinks .) 
Colleges  and  universities  apply  for  the  honor 
of  being  included  on  the  list,  and  the  stu¬ 
dents  who  attend  the  designated  schools  are 
eligible  for  federal  scholarships. 


WHILE  INFORMATION  security  leaders  have 
relatively  few  options  for  pursuing  a  CISO- 
oriented  degree,  it's  even  harder  to  find 
advanced  academic  degrees  that  focus  on 
the  corporate  and  physical  side  of  security. 

According  to  George  Campbell,  former 
head  of  security  for  Fidelity  Investments, 
entry-level  corporate  security  employees 
frequently  sport  an  undergraduate  degree  in 
criminal  justice,  or  what  Campell  describes 
as  a  spin  off  of  criminal  justice:  security 
administration.  Campbell  mentions  Michigan 
State  University  and  Northeastern  University 
as  offering  mature,  exemplary  programs. 
However,  Campbell  agrees  that  higher-level 
security  leaders  require  a  broader  knowl¬ 
edge  base  that  includes  management  strate¬ 
gies,  risk  measurement  and  business 
concepts.  In  the  absence  of  a  full-blown 
CSO-worthy  degree,  some  universities  do 
offer  short,  intensive  training  programs  in 
security  leadership. 

Georgetown  University,  for  example, 
teamed  up  with  ISMA— the  International 
Security  Managers  Association,  whose  mem¬ 
bers  are  the  security  leaders  at  Fortune  500- 
type  organizations— to  create  just  such  a 
program.  Campbell,  who  as  a  former  ISMA 
president  was  involved  in  developing  the 
course,  says  the  focus  is  on  strategic  plan¬ 
ning.  Attendees  first  spend  three  days  in  the 
classroom,  designing  a  particular  strategic 
planning  project  related  to  their  current  job. 
They  return  to  their  employers  for  three 
months  to  execute  the  projects— with  an 
ISMA  member  assigned  to  coach  each  stu¬ 
dent  through  the  process.  Then  it’s  back  to 
Georgetown  to  present  their  work  in  a  two- 
day  intensive  wrap-up  session. 

Similarly,  in  May,  the  University  of  Penn¬ 
sylvania's  Wharton  School  of  Business 
announced  a  program  designed  in  collabora¬ 
tion  with  ASIS  International  (another  secu¬ 
rity  membership  organization).  Participants 
in  the  Wharton/ASIS  Program  for  Security 
Executives  spend  one  week  on  campus,  one 
month  back  at  the  office  to  apply  what  they 
learned,  then  another  week  back  in  the  class¬ 
room.  The  Wharton  curriculum  covers  a 
broad  range  of  business  functions,  including 
marketing  and  finance.  -Derek  Slater 


“The  NSA’s  list  is  a  logical  starting  place,” 
says  Schmidt.  “But  it’s  tough  for  people  to 
stop  working  and  start  a  two-year  degree.”  As 
an  alternative,  Schmidt  has  been  working 
with  Carnegie  Mellon  to  develop  a  CSO  insti¬ 
tute  for  working  infosecurity  leaders,  and  to 
then  share  that  information  with  other  uni¬ 
versities  so  that  they  can  build  their  own  pro¬ 
grams  as  well  (see  “Campus  Security,” 
opposite  page). 

In  addition,  Eugene  Spafford,  a  professor 
and  director  of  the  Center  for  Education  and 
Research  in  Information  Assurance  and 
Security  (Cerias)  at  Purdue  University, 
explored  the  possibility  of  starting  a  CSO 
institute  four  years  ago— but  the  external 
interest  wasn’t  there  at  that  point.  Spafford 
hasn’t  given  up  hope;  this  fall  Purdue  will 
inaugurate  an  executive  MBA  program  in 
information  security  that  will  allow  CSOs  to 
work  independently  on  their  degrees  while 
spending  a  minimal  amount  of  time  on  cam¬ 
pus.  He  says  the  university  will  conduct  mar¬ 
ket  research  for  the  CSO  institute  this 
summer  that  will  include  analysis  of  the 
enrollment  in  the  executive  MBA  program. 

It  took  decades  for  current  CSOs  to  be 
viewed  as  valued  members  of  the  executive 
team.  Those  who  are  there  now  have  put  in 
their  time.  They  have  experience,  and  they’ve 
developed  business  skills  either  by  finding  a 
way  to  attend  classes  in  their  free  time  or  by 
learning  the  hard  way  how  to  define  security 
as  something  other  than  a  cost  center.  Aca¬ 
demia  is  on  the  heels  of  the  profession’s 
development.  Just  as  many  CSOs  built  their 
organizations’  current  security  department, 
they’ll  need  to  do  the  same  within  colleges 
and  universities  to  enhance  the  role  and 
ensure  that  tomorrow’s  graduates  have  the 
education  to  do  a  CSO’s  job.  If  they  don’t, 
they’ll  have  only  themselves  to  blame.  ■ 

Kathleen  Carr,  CSO’s  assistant  managing  editor,  can  be 
reached  at  kcarrvt cxo.com. 

The  Job  Market 

Recruiters  see  a  definite  shift  in  what  employers  are 

looking  for  in  a  CSO.  For  more  details,  see  “The  Right 

Stuff"  at  www.csoonline.com/printlinks. 


June  2004  www.csoonline.com  43 


Building  the  future  CSO 


Experts  show  how  to 
sharpen  six  key  skills 

for  the  future  CSO 


Build  a  Better  Business  Case 


HOOSING  HER  WORDS  carefully, Nina 
Burgess  describes  her  employer,  Fortune  500  financial 
company  Comerica,  as  “very  intentional.”  By  that,  she 
means  it’s  a  company  with  lots  of  process  and  a  deliberate 
decision-making  model.  If  you  want  to  spend  the  com¬ 
pany’s  cash,  you’d  better  have  your  business  case  down 
cold.  That’s  because  you’ll  have  to  make  your  pitch  to  the 
Strategic  Investment  Committee,  an  august  body  of  top- 
level  leadership  that  generally  meets  every  four  months  to 
scrutinize  every  major  investment  proposal. 

The  company  has  a  multistep  process  for 
ensuring  that  the  business  case  presented 
for  each  project  is  truly  accurate. 

So  how  does  the  information  security 
group  get  a  significant  security  investment 
through  that  gauntlet? 

Ideally,  it  doesn’t.  The  businesspeople 
do  it. 

That’s  how  it  came  to  pass  that  Burgess, 
vice  president  for  product  development  in 
the  company’s  treasury  management  busi¬ 


ness,  found  herself  pitching  the  Strategic  Investment 
Committee  on  encryption  software.  Burgess  says  her 
business  unit  needs  to  share  lots  of  data  with  clients  old 
and  new.  Unfortunately,  over  the  past  several  years, 
sharing  that  data  in  a  secure  manner  has  become  so  diffi¬ 
cult  that  it  hindered  Comerica’s  ability'  to  sign  up  new 
customers.  Burgess  went  to  the  information  security 
group  for  help.  Top  of  her  list  of  requirements:  simplic¬ 
ity.  Some  of  Comerica’s  customers  are  smaller  companies 
that  can’t  afford  expensive  client  software 
and  don’t  necessarily  have  large,  sophisti¬ 
cated  IS  groups.  Common  solutions  such  as 
PGP  (Pretty  Good  Privacy  encryption  soft¬ 
ware)  were  too  complex  for  these  clients, 
according  to  Kenneth  Schaeffler,  first  vice 
president  for  Comerica’s  corporate  infor¬ 
mation  security  services— which  meant  that 
Comerica’s  own  IS  manpower  would  get 
tied  up  solving  customer  support  issues. 

Schaeffler’s  group  routinely  scours  the 
landscape  of  emerging  infosecurity  tech- 


TAKEAWAYS 

■  Look  for  ways  to  extend 
investment  benefits 
beyond  the  immediate 
problem 

■  Scrutinize  the  idea  with 
a  cross-functional  team 
before  it  goes  in  front  of 
the  check-signers 

■  Have  business-side 
beneficiaries  pitch  the 
investment 


PHOTO  BY  RACHEL  HOLLAND 


June  2004  www.csoonline.com 


Building  the  future  CSO 


oO 


nologies.  (Schaeffler  calls  this 
systematic  effort  the  “security 
architectural  domain  process,” 
in  case  you  thought  talk  about 
Comerica’s  process-heavy  style 
was  exaggerated.)  When  Burgess 
approached  the  information 
security  team  with  a  bulleted 
list  of  requirements,  the  group 
found  a  possible  match  in  soft¬ 
ware  from  a  company  called 
Cyber-Ark.  Cyber- Ark  creates 
an  encrypted  electronic  “vault” 
into  which  sensitive  files  can  be 
placed;  remote  clients  and  cus¬ 
tomers  can  log  in  and  access  the 
files  via  the  Internet,  instead  of 
using  FTP  or  other  standard 
solutions  that  may  be  slower 
or  are  not  designed  with  security 
in  mind.  (In  other  industries, 
Cyber-Ark  gets  used  for  storing 


things  like  CAD/CAM  files  or 
even  password  lists.)  Scott 
Vowels,  vice  president  of 
security  architecture  and 
engineering,  says  the  Cyber- 
Ark  approach  proved  easy  for 
clients  to  manage— satisfying 
Burgess’s  top  requirement— 
as  well  as  being  in  sync  with 
Comerica’s  overall  information 
security  architecture. 

So  together,  Burgess’s  and 
Schaeffler’s  groups  built  the 
business  case.  And  before  they 
presented  it  to  the  Strategic 
Investment  Committee,  they 
put  the  idea  through  its  paces 
by  garnering  feedback  from  a 
working  team  that  included  the 
IS  department  and  business- 
side  representatives  from  across 
Comerica’s  broad  geographical 


How  to  Change  People’s 


MANY  SECURITY  executives 
have  yet  to  master  the  power  of 
persuasion.  Take  a  lesson  (or 
seven)  from  Howard  Gardner, 
author  of  Changing  Minds:  The 
Art  and  Science  of  Changing  Our 
Own  and  Other  People’s  Minds 
(Harvard  Business  School  Press, 
2004).  Gardner’s  first  step 
toward  changing  a  person’s 
mind  is  no  surprise:  Know  thine 
audience.  The  tactics  you  use  to 
influence  a  board  of  directors 
should  be  different  than  those 
you  use  to  persuade  a  large 
group  of  employees.  Age  is 
another  factor  to  consider.  “As 
you  age,  the  neural  networks 
become  like  a  road  that  has 
been  driven  down  over  and 
over  again.  There  are  deep 
ruts,”  Gardner  says.  Beliefs  also 
become  deeply  ingrained  and 


reinforced  over  time;  the  longer 
people  believe  something,  the 
better  they  get  at  deflecting 
counterarguments.  A  CEO  who 
has  always  thought  security 
should  operate  unobtrusively, 
behind  the  scenes,  will  be  harder 
to  sell  on  the  need  for  a  new 
high-profile  badging  and  access 
control  system  than  a  group  of 
younger  and  newer  employees. 
Gardner  has  identified  seven 
factors— he  calls  them  levers— 
that  are  effective  in  influencing 
a  person  to  change  his  mind: 

1.  Rational  reasoning:  Logically 
outline  the  pros  and  cons  of  a 
decision. 

2.  Research:  Present  data  and 
relevant  cases  to  support  the 
argument. 

3.  Resonance:  Use  your  likeabil- 
ity  and  emotional  appeal  to  win 


reach  (the  company  operates  in 
the  United  States,  plus  Canada 
and  Mexico). 

Satisfied  that  the  proposal 
would  stand  up  to  scrutiny, 
Burgess  presented  the  purchase 
not  as  an  infrastructural  invest¬ 
ment  but  as  a  revenue  generator. 
If  signing  up  new  customers 
becomes  easier,  it  stands  to 
reason  that  you’ll  sign  up  more 
customers.  In  fact,  Comerica 
set  out  to  actively  market  its 
increased  security,  issuing  press 
releases  and  serving  as  a  cus¬ 
tomer  reference  for  Cyber-Ark. 

Two  more  key  points  in  the 
business  case:  First,  because  the 
solution  was  easy  to  manage  on 
an  administrative  level,  the  busi¬ 
ness  operations  side  took  over 
that  task,  rather  than  the  IS 


group.  That  makes  for  a  lower 
overall  cost  of  support,  Burgess 
says,  since  IT  manpower  is  typi¬ 
cally  more  specialized,  and 
therefore  more  expensive,  than 
the  average  operational 
employee.  Second,  according  to 
Vowels,  other  business  units,  in 
addition  to  Burgess’s  treasury 
group,  can  also  benefit  from  the 
software,  because  it’s  fairly  sim¬ 
ple  for  more  Comerica  units  to 
drop  information  into  the  same 
client  vault.  That  means  more 
ROI  is  possible  (though  not 
guaranteed)  without  signifi¬ 
cantly  increasing  the  original 
investment. 

It  goes  to  show  that  the  best 
business  case  is  one  built,  and 
presented,  by  the  business. 

-Derek  Slater 


Minds 


support  for  your  view. 

4.  Representational  redescrip¬ 
tion:  Make  your  point  in  many 
different  ways.  Use  humor,  sto¬ 
ries,  pictures;  act  out  a  scenario. 

5.  Resources  and  rewards:  Use 
rewards  or  punishment  as  incen¬ 
tives  to  convince  someone  to 
adopt  your  view. 

6.  Real  world  events:  Use  events 
from  society  at  large  to 
make  your  point  (for 
instance,  the  most 
recent  high-profile 
CEO  laptop  theft). 

7.  Resistances: 

Understand  the  fac¬ 
tors  that  cause  people 
to  reject  your  view. 

Such  insights  can 
make  it  easier  for 
you  to  change  their 
minds. 


TAKEAWAYS 


Understanding  resistance  and 
why  it  exists  is  particularly 
important.  For  example,  a  little 
reconnaissance  might  reveal  that 
employees  object  to  the  com¬ 
pany’s  new  badging  system 
because  they  dislike  the  incon¬ 
venience  of  having  to  wait  at  the 
security  checkpoint  every  morn¬ 
ing.  Instead  of  focusing  on  the 
intrinsic  goodness  of  the  new 
system,  CSOs  would  be  more 
persuasive  by  addressing  that 
annoyance  directly.  Acknowl¬ 
edge  that  it  will  take  employees 
an  average  of  three  to  five  min¬ 
utes  longer  to  get  to  their  desks 
in  the  morning.  But  also  point 
out  the  benefits:  that  since  the 
system’s  launch  there  hasn’t 
been  a  single  crime  in  the  build¬ 


ing,  and  that  the  checkpoint 
detected  two  people  who  didn’t 
belong  in  the  building,  one  of 
whom  was  carrying  a  weapon. 
Those  are  powerful  counterargu¬ 
ments  to  a  little  inconvenience. 

Some  levers  will  work  better 
than  others  in  a  corporate  envi¬ 
ronment.  A  CSO  who  relies 
strictly  on  his  charm  to  “res¬ 
onate”  with  his  audience  may 
not  get  very  far.  But  the  use  of 
stories  (representational 
redescription)  can  be  very  effec¬ 
tive.  Just  be  sure  that  the  stories 
you  communicate  are  inclusive 
rather  than  built  around  scare 
tactics.  “Try  to  incorporate 
everyone  in  the  same  narrative 
and  convince  people  that  we  are 
in  this  together,”  says  Gardner. 


■  Tweak  the  message  for  each 
different  audience 

■  Understand  the  reasons  others 
are  resisting  an  idea 

•  Try  Gardner's  seven  “levers” 
for  influencing  others’  views 

He  notes  that  community  polic¬ 
ing  is  successful  because  people 
in  the  neighborhood  see  the  cops 
trying  to  achieve  the  same  goal 
they  are— a  safe  neighborhood. 
Inclusiveness  goes  even  further 
if  you  can  get  other  people 
within  the  corporate  “neighbor¬ 
hood”  to  tell  some  of  the  stories 
and  evangelize  for  you.  “As  a 
CSO,  I  would  feel  better  if  the 
CIO  and  CEO  were  singing  the 
same  song  as  well.  That  way  it’s 
more  of  a  choir,  less  of  a  solo,” 
Gardner  says. 

The  biggest  challenge  CSOs 
are  likely  to  run  up  against  is 


fundamentalism— not  in  the 
religious  sense,  but  in  the  form 
of  a  conscious  decision  made 
by  a  person  not  to  change  his 
mind.  When  you  encounter 
people  whose  opinions  are  so 
fixed  and  unwavering,  Gardner 
advises  security  executives  not 
to  waste  their  time  trying  to 
change  them.  Gardner  notes 
that  he  has  had  a  long  string  of 
assistants  who  would  leave 
their  desk  drawers  open  despite 
his  frequent  warnings  about 
pocketbook  safety.  “Every  now 
and  then  I  would  steal  their 
wallets  just  to  show  them,”  he 
says,  “but  eventually  I  got  too 
old.”  Plus,  he  says,  it  never 
worked  anyway. 

-Daintry  Duffy 


How  to  Keep  Tabs  on  Technology 


FIREWALLS.  HACKERS. 

Intrusion  detection.  Event  cor¬ 
relation.  Web  services  and  file 
sharing.  Application  vulnerabil¬ 
ities.  With  all  the  things  a  CSO 
has  to  worry  about,  it’s  a  won¬ 
der  you’re  all  not  curled  up  in  a 
corner,  bathed  in  sweat  and 
muttering  nonsense  to  your¬ 
selves.  Today’s  unavoidable 
reality  is  that  security  execs 
need  to  stay  on  top  of  a  plethora 
of  emerging  technologies  and 
threats  in  order  to  keep  disaster 
at  bay. 

Ask  Gene  Fredriksen,  vice 
president  of  information  security 
at  Raymond  James  Financial, 
how  he  and  his  staff  stay  current, 
and  the  short  version  of  his 
answer  is,  “Through  every 
avenue  possible.” 

Fredriksen  assigns  software 
security  engineers  in  his  group  to 


track  new  technologies  in  their 
areas  of  expertise.  So,  for  exam¬ 
ple,  one  of  these  senior-level 
specialists  follows  intrusion 
detection  and  protection.  That 
entails  working  with  the  current 
vendor,  watching  other 
vendors  in  the  space  and  briefing 
the  rest  of  the  group  on  emerg¬ 
ing  technologies  and  methods. 
Fredriksen  then  uses  that  infor¬ 
mation  from  his  staff  to  help 
develop  his  group’s  annual 
strategic  and  operations  plan 

TAKEAWAYS 

■  Assign  specialized  staffers  to 
track  technologies  in  their 
areas  of  expertise  and  hold 
internal  briefings 

■  Connect  with  peers  in  every 
possible  way 

■  If  you  can’t  find  sufficient  local 
information-sharing  groups, 
start  one  yourself 


(which,  as  a  side  note,  he 

believes  every  infosecurity  group 

should  have).  “We  also  read  the  Gene 

Fredriksen 

magazines,  read  reviews,  talk  to 
peers  and  participate  in  working 
[and  industry]  groups,”  he  says, 
specifically  mentioning  BITS  (a 
financial  services  industry  organ¬ 
ization),  Information  Systems 
Security  Association  (ISSA), 

InfraGard  (the  FBI’s  private- 
sector  outreach  initiative)  and 
a  variety  of  security  meetings 
hosted  by  vendors. 

While  following  what’s  new 
in  the  security  marketplace  is 
important,  tracking  emerging 
threats  is  the  heart  of  an  info- 
security  program.  Fredriksen 
relies  heavily  on  the  financial 
services  information  sharing 
and  analysis  center  (FS-ISAC)  to 
pass  along  information  on  cyber¬ 
attacks.  “I  get  more  of  a  real-time 


PHOTO  LEFT  BY  MARK  VAN  S;  RIGHT  BY  STEVEN  P.  WIDOFF 


June  2004  www.csoonline.com  47 


Building  the  future  CSO  ^  30 


sense  of  what’s  happening  in  our 
industry,”  he  says.  He  also  gets 
alerts  from  Guardent,  a  managed 
security  services  provider  that 
has  intrusion  detection  sensors 
on  some  of  the  external  points  on 
his  network.  “What  they’re  seeing 
around  the  globe— where  they 
have  all  their  sensors— allows  me 
to  correlate  with  my  sensors.  If 
I’m  seeing  some  kind  of  attack  on 
my  sensors,  it’s  veiy  valuable  for 
me  to  know  if  only  Raymond 
James  is  seeing  the  attack,  or  if 
it’s  a  U.S.  [attack]  or  a  broad 
denial-of-service  attack  on  the 
Internet,"  he  says.  Those  same 
sources— industry  and  working 
groups,  vendors— also  help  him 
track  future  trends,  vulnerabili¬ 
ties  and  exploits. 

To  make  sure  information  is 
shared  internally,  Fredriksen 
holds  weekly  infosecurity  meet¬ 
ings  to  track  action  items.  He 
also  sends  out  monthly,  manage¬ 


ment-level  reports.  The  first  part 
of  each  report  tracks  metrics  and 
trends.  The  second  part  dis¬ 
cusses  emerging  threats,  analyst 
forecasts  and  general  security 
news.  Sending  these  reports 
keeps  infosecurity  uppermost  in 
executives’  minds,  he  says,  and 
he  highly  recommends  the  prac¬ 
tice  to  those  security  execs  who 
complain  that  senior  manage¬ 
ment  doesn’t  “get”  security. 

Turning  to  the  importance  of 
sharing  information  externally, 
Fredriksen  points  out  that  hack¬ 
ers  have  done  a  better  job  of 
communicating  with  each  other 
than  security  professionals  have. 
Computer  criminals  readily 
share  code,  exploits  and  other 
information  via  online  bulletin 
boards,  newsgroups  and  similar 
means.  “On  the  other  hand,  we 
on  the  corporate  side  of  informa¬ 
tion  security  have  pulled  back 
and  said  we'd  better  not  talk  to 


each  other,  lest  we  give  some¬ 
thing  up.  There’s  information 
about  your  corporate  informa¬ 
tion  security  structure  you  must 
maintain  confidentiality  for,  but 
we  have  to  get  better  about  shar¬ 
ing  information  on  exploits  and 
vulnerabilities,”  he  says. 

Although  Fredriksen  relies  on 
the  FS-ISAC,  he  does  worry  that 
national  organizations  like  the 
ISACs  and  DHS  may  get  bogged 
down  in  a  bureaucracy  that  saps 
their  effectiveness.  So  he  advo¬ 
cates  working  at  the  local  level 
as  well.  Fredriksen  hosts  an 
annual  cybersecurity  summit 
with  the  FBI  at  St.  Petersburg 
College  in  Florida.  Last  year’s 
event  brought  in  more  than  300 
attendees.  “We  are  all  in  it  solely 
to  raise  security  awareness  and 
the  level  of  knowledge  through¬ 
out  the  area,”  he  says.  Fredriksen 
also  serves  as  president  of  the 
Tampa  Bay  chapter  of  ISSA  and 


How  to  Market  the  Security  Group 


ANITA  LETO,  as  director  of 
IT  transformation  at  Ouellette  & 
Associates,  is  a  consultant  who 
advises  CIOs  on  how  to  market 
the  IT  function  internally  (so 
as  to  “not  get  outsourced,”  she 
says).  That  focus  also  gives  her 
an  awareness  of  the  uphill  battle 
CSOs  face  when  it  comes  to  sell¬ 
ing  the  security  function  within 
their  companies.  CSOs  need  to 
overcome  the  perception  that 
the  security  function  is  foe,  not 
friend,  and  instead  convince 
employees  at  all  levels  that  good 
security  is  good  for  business. 

Leto  has  ideas  to  help  get  the 
job  done. 

Classic  security  behavior,  such 


as  taking  the  big-stick,  do-this- 
or-else  approach,  is  doomed  to 
failure.  Instead,  the  essence  of 
marketing  security  involves  let¬ 
ting  others  know  what’s  in  it  for 
them,  and  customizing  that  mes¬ 
sage  for  different  audiences.  (See 
“How  to  Change  People’s  Minds” 
on  Page  46  for  another  take  on 
that  latter  point.)  For  example, 
tell  the  CEO  and  CFO  that  one 
of  the  biggest  benefits  of  security 
is  making  sure  the  company 
stays  out  of  The  Wall  Street 
Journal  in  a  negative  light— that 
no  news  is  good  news.  After  all, 
executives  care  deeply  about 
company  image.  For  lower-level 
employees,  such  as  customer- 


service  reps  (CSRs),  the  message 
could  be  that  their  jobs  are  at 
stake— though  using  a  more 
diplomatic  choice  of  words.  That 
is,  a  CSO  could  talk  about  how 
much  better  it  is  to  have  a  call 
center  in  the  United  States  than 
in  India  because  security  can  be 
better  enforced  stateside.  CSRs 
can  contribute  by  shredding 
documents  and  remembering 
their  badges. 

TAKEAWAYS 

■  Communicate  security  tips  and 
value  through  a  variety  of  media 

■  Use  the  carrot  much  more  than 
the  stick 

■  Don’t  be  boring— be  imaginative! 


is  helping  St.  Petersburg  College 
roll  out  a  bachelor’s  degree  in 
infosecurity  management. 

Fredriksen  says  information 
sharing  is  improving.  “We  used 
to  be  very  aggressive  about  not 
even  divulging  what  firewall  we 
used.  Now  we’re  at  the  point 
where  we  are  setting  up  user 
groups  about 
different 
types  of 
firewalls.” 

-Todd 
Datz 


PHOTO  BY  ROBERT  BURROUGHS 


48  www.csoonline.com  June  2004 


For  all  employees,  the  under¬ 
lying  message  must  be  that  good 
security  is  inherently  linked  to 
the  success  of  the  business. 

Leto  exhorts  security  leaders 
to  be  imaginative,  even  goofy, 
when  it  comes  to  marketing 
security.  She  suggests  awarding 
a  “spirit  of  security"  award  every 
month  to  departments.  Another 
twist:  Give  the  award  at  a  travel¬ 
ing  dog  and  pony  show.  Ask  the 
head  of  a  department  for  a  10- 
minute,  all-hands  meeting  dur¬ 
ing  which  you  give  the  award 
rather  than  merely  announcing 
it  via  e-mail.  Newsletters  (in 
either  paper  or  e-mail  form)  can 


be  an  effective  means  of  commu¬ 
nication,  but  Leto  advises  keep¬ 
ing  them  to  a  half  page,  and 
writing  them  in  a  clear  business 
language  that’s  on  the  catchy 
side.  Another  way  to  reach 
employees  is  by  putting  impor¬ 
tant  security  messages  on  white¬ 
boards  set  up  on  easels  in 
entryways  throughout  a  building. 
One  of  Leto’s  clients,  a  hospital, 
flashed  a  new  security  policy  on 
the  JumboTron  in  the  cafeteria. 

Demonstrating  security  prod¬ 
ucts  or  issues  is  also  helpful. 
Hold  a  tech  fair  in  the  company 
cafeteria  to  show  a  new  finger¬ 
print  ID  system  or  a  new  log-on 


Howto  Talkto the  Board 


SOME  OF  TODAY’S  CSOs 
never  stand  before  their  boards 
of  directors.  But,  hey,  that  could 
change  after  your  next  external 
audit.  And  while  addressing  the 
board  may  not  quite  be  like 
arguing  a  case  before  the 
Supreme  Court,  you’ll  still  want 
to  make  the  most  of  your  access. 
So  hearken  to  David  Burrill, 
head  of  group  security  at  British 
American  Tobacco  (BAT).  Bur¬ 
rill  has  been  reporting  to  the 
BAT  board  since  he  joined  the 
company  in  1992. 

Burrill  speaks  to  his  com¬ 
pany’s  board  about  four  times  a 
year.  He  also  meets  with  differ¬ 
ent  members  of  the  board  (for 
example,  Chief  Executive  Paul 
Adams)  on  an  as-needed  basis. 
He  generally  provides  overall 
security  status  updates  from 
BAT’s  operations  around  the 
world.  If  there’s  a  crisis,  he 
might  appear  before  the  board 
once  a  week  for  as  long  as  the 


crisis  lasts  (Burrill  chairs  the 
company’s  crisis  management 
committee). 

If  he  chooses  to  submit  pre¬ 
liminary  paperwork,  it’s  usually 
a  page,  never  more  than  three, 
stating  the  topic  and  back¬ 
ground  information.  But  Burrill 
won’t  simply  turn  in  a  written 
report.  “I  give  an  oral  brief.  If  I 
stick  to  the  written  one,  it  means 
I’m  not  getting  formal  exposure 
to  the  board  and  I’m  not  likely  to 
pick  up  questions  they  raise  in 
person.  I  need  that  interface 
with  them  as  a  corporate  body,” 
he  says,  pointing  out  the  impor¬ 
tance  of  interpersonal  connec¬ 
tion.  Effectively  communicating 
with  the  board  also  reinforces 
the  image  of  the  head  of  security 
as  an  important  player  in  the 
business.  “I  tend  to  talk  to  them 
as  if  I’m  one  of  them,”  he  says, 
adding  that  he  doesn't  do  a  lot 
of  PowerPoint  presentations. 

Burrill  speaks  proudly  of  a 


procedure.  For  a  frugal 
approach,  hand  out  trinkets. 
One  of  Leto’s  clients  distributed 
huge,  red  panic  buttons  with 
an  important  security  message. 

Leto  likes  the  idea  of  coming 
up  with  a  security  theme— a  slo¬ 
gan  that  sums  up  why  security'  is 
important.  It’s  something  a  CSO 
could  say  at  every  presentation 
and  that  HR  or  other  depart¬ 
ments  could  stress.  Often,  she 
says,  CSOs  communicate  too 
many  messages,  increasing  the 
chance  that  employees  will  tune 
out.  One  simple  theme  helps 
get  everyone  marching  to  the 
same  beat. 


Mandatory  training  sessions 
have  their  place  as  well,  but 
again,  Leto  emphasizes  making 
these  sessions  fun,  not  Power¬ 
Point  snooze-a-thons.  Instead  of 
showing  a  slide  of  bullet  points 
on  laptop  safety,  demonstrate 
how  someone’s  laptop  could  be 
swiped  at  Starbucks.  If  you’ve 
only  got  an  hour,  says 
Leto,  “It  better  be 
an  interesting 
hour.  Or  at  least 
have  doughnuts.” 

-T.D. 


David  Burrill 


TAKEAWAYS 


■  Focus  on  value  added 
not  just  cost  removed 

■  Speak  as  a  peer 

■  Keep  written  support 
materials  concise 


presentation  he  gave  to  the 
board  last  year.  In  2003,  he 
undertook  a  megatask— pro¬ 
ducing  a  worldwide  security 
cost/benefit  analysis  for  all 
of  2002,  which  he  says  was  the 
biggest  such  analysis  conducted 
by  the  company  for  any  function, 
ever.  He  says  the  process  worked 
extraordinarily  well  and  that  it 
proved  the  value  of  security  by 
showing  that  it  added  to  the  bot¬ 
tom  line.  He  says  that  CSOs  are 
too  eager  to  focus  on  cutting 
costs.  “Very  often,  on  the 


resumes  of  security 
guys  applying  for  jobs, 
they’ll  say  how  much  money 
they  saved  by  reducing  [the 
number  of]  security  guards— 
there  seems  to  be  a  fixation.  The 
challenge  isn’t  about  just  saving- 
on  organizational  structure.  It’s 
whether  you  are  able  to  deliver  a 
functional  service  that  adds 
profit  to  the  company,  not  just 
reduce  overhead,”  says  Burrill. 

-T.D. 


June  2004  www.csoonline.com  49 


Building  the  future  CSQ  q  © 


Howto  Serve  Multiple  Masters 


WHEN  YOU  RENT  OUT 

your  great  big  house  to  strangers; 
and  those  strangers  invite  their 
friends  over;  and  those  friends 
are  looking  to  have  what’s  known 
as  “a  ripping  good  time”;  and  you 
are  the  one  responsible  for  mak¬ 
ing  sure  things  don’t  get  out  of 
hand  while  the  guests  are  having 
that  ripping  good  time— you’ll 
find  that  you  have  a  lot  of  differ¬ 
ent,  but  sometimes  interlocking, 
interests  to  serve. 

That’s  roughly  the  position  in 
which  Steve  Denelsbeck  finds 
himself  as  security  manager 
for  the  FleetCenter  in  Boston- 
home  to  the  Boston  Celtics  and 


the  Boston  Bruins,  and  host  of 
assorted  concerts,  circuses  and 
other  extravaganzas,  including 
the  Democratic  National  Con¬ 
vention  late  next  month.  The 
convention  was  initially  seen 
as  a  magnificent  civic  coup,  but  it 
has  now  become  the  bane  of  local 
residents  and  commuters  alike 
by  exacting  a  variety  of  pesky 
inconveniences  in  the  name  of 
security. 

Denelsbeck  deals  with  all  of 
the  FleetCenter’s  guests,  employ¬ 
ees,  owners,  service  providers 
and  relevant  local,  state  and  fed¬ 
eral  public-safety  agencies.  This 
deft  balancing  act  calls  for  high 
levels  of  diplomacy,  discipline, 
energy  and  patience.  Techni¬ 
cally,  he  reports  to  FleetCenter 
General  Manager  John  Wentzell 
and  to  Corporate  Security  Direc¬ 
tor  Mark  Farrell  of  Delaware 
North  (which  owns  both  the 
FleetCenter  and  the  Boston  Bru¬ 
ins).  But  Denelsbeck’s  commu¬ 
nity  of  allegiances  is  much 
broader. 

“I  report  to  quite  a  number  of 
people,”  he  says.  “Mainly  it’s  the 
heads  of  the  NBA  and  NHL.  But 
it’s  also  the  FleetCenter 


TAKEAWAYS 

Listen  carefully  and  weigh 
everyone's  priorities  and  job 
requirements 

Be  diplomatic,  but  execute 
decisively— you  can't  please 
everyone 


executive  and  operations  man¬ 
agement  groups.  Then  there’s  the 
people  that  I  work  for  at  Security 
Systems  Inc.  [SSI,  the  FleetCen¬ 
ter’s  outsourced  security  service 
provider],  which  was  purchased 
in  March  by  Allied  Security.  So 
now  I  [will  report  to]  all  sorts  of 
people  that  I  have  yet  to  meet. 
Then  there’s  Delaware  North.... 
With  regard  to  the  convention, 
there’s  the  Democratic  National 
Convention  Committee,  or  the 
DNCC,  and  ‘Boston  2004’— 
the  Mayor  and  the  city  officials. 
As  well  as  the  Secret  Service 
and  the  FBI.  I  work  for  all  those 
people.  I’ve  been  detailed,  if  you 
will,  to  these  different  groups  as 
a  consultant,  adviser,  support 
person. 

“It’s  very  interesting.” 

When  asked  what  prepared 
him  to  find  such  densely  compli¬ 
cated  challenges  “interesting,” 
Denelsbeck  laughs  and  cites  his 
stint  as  an  Army  Ranger.  “As  a 
private,  you  report  very  directly, 
very  clearly,  to  the  specialist— the 
E-4— the  very  low-ranking  per¬ 
son  above  you.  It’s  not  a  techni¬ 
cality  or  something  [that’s  just] 
on  paper.  That  E-4  will  have 
you  crawl  through  the  same  dirt 
as  any  sergeant,  or  officer  or 
anyone  else.”  In  addition,  he 
says,  Rangers  learn  to  be  of 
service.  “Throughout  the  mili¬ 
tary,  wherever  you  go,  as  Army 
Rangers  we  work  for  the  civilian 
community.  You  need  some¬ 
thing,  we  do  it.  So,  coming  here, 
it’s  no  surprise  that  I  work  for 
everyone.  Really, 

[that’s]  any  security 
director’s  role,”  he 
says. 


But  in  civilian  life,  being  out¬ 
ranked  doesn’t  always  mean  fol¬ 
lowing  every  order.  Your  job,  he 
says,  is  “protecting  everyone  in 
your  corporation  not  only  from 
[outsiders],  but  from  themselves. 
It  can  cause  quite  a  bit  of  contro¬ 
versy.  You  may  be  outranked  at 
times,  but  that  doesn’t  necessar¬ 
ily  mean  you’ll  be  doing  as  you’re 
asked.  You  have  to  know  how 
and  when  to  tell  people  some¬ 
thing’s  not  going  to  play  out  as 
they  would  like.” 

So,  how  do  you  do  that?  “It’s 
not  easy....  You  have  to  get  to 
know  each  and  every  individual 
and  find  out  their  patience  level, 
how  important  their  business 
really  is.  I  spend  a  lot  of  time 
understanding  everyone’s  job 
and  what  sort  of  pressure  they 
get  when  they  have  to  report  up.” 

It  also  boils  down  to  diplo¬ 
macy,  he  says.  And  the  ability 
to  pay  attention  to  many  inputs 
at  once.  “Listening  is  huge;  it’s 
critical.  When  I’m  talking  to 
one  person,  I’m  also  trying  to 
understand  what’s  happening 
to  my  left  or  my  right.  I’m  in 
constant  conversation  with  lots 
of  people,  listening  to  every 
need  and  concern  they  have. 

But  when  it’s  time  to  execute, 
it  all  comes  down  to  being  firm 
but  respectful.  You  have  to  be 
very  decisive.” 

Does  Denelsbeck  ever  jones 
for  a  simpler  life?  “I  can’t  imag¬ 
ine.  I  would  think  it  would  be 
terribly  boring!”  ■ 

-Lew  McCreary 


How  to  Find  More  of  What  You  Need 


Visit  CSO’s  Security  Executive  Research  Center  for  more 
helpful  advice.  Go  to  www.csoonline.com/research. 


50  www.csoonline.com  June  2004 


PHOTO  BY  TRACY  POWELL 


Effectively  Manage  Security  Risk.  Managing 
the  storms  caused  by  security  breaches  can  be 
overwhelming,  but  with  Netcool®  for  Security 
Management™,  it  doesn't  have  to  be. 

A  single  'umbrella'  for  managing  network,  system, 
security  data  and  more,  Netcool  for  Security 
Management  dramatically  simplifies  operations. 

Our  highly-scalable  solution  can  help  your  teams 
quickly  identify  the  real  threats  from  all  the  noise, 
showing  when,  where,  and  why  problems  occur. 


©  2004  Micromuse,  Inc.  All  Rights  Reserved. 


+  1  415.538.9090 


From  a  single  desktop  your  teams  can  assess 
vulnerabilities,  correlate  threats,  prioritize  severity, 
and  most  importantly,  take  action  -  all  in  realtime. 

So  focus  your  limited  resources  on  real  threats  in 
realtime.  Protect  your  business  assets  and  reduce 
your  risk. 

Netcool  for  Security  Management. 

Simplify.  Identify.  Resolve. 

Micromuse 

NETCOOL’  SOLUTIONS 


www.micromuse.com/security 


..... 


2nd  Annual 

EXECUTIVE  WOMEN’S 

mm  ||Ufl  Information  Security,  Risk 
■  I VI  Management  &  Privacy 


September  8-10, 2004  |  Sanibel  Harbour  Resort  &  Spa  |  Fort  Myers,  Florida 


Bringing  Together  Women  of  Influence 

Hosted  by  Alta  Associates,  Inc.,  the  2nd  Annual  Executive  Women’s  Forum  (EWF) 
will  bring  together  more  than  200  women  of  influence,  power  and  intelligence  to 
discuss  the  best  practices  in  information  security,  risk  management  and  privacy. 


Connect  with  other  successful 
information  security  professionals 
during  panel  discussions,  birds-of- 
a-feather  meetings,  executive 
coaching  sessions  and  keynotes 
from  the  industry’s  top  minds! 


Share  your  experiences  through  open  and  honest  conversations  with  executives 
from  the  world’s  largest  corporations,  hottest  new  start-ups,  academia  and  the 
public  sector. 


KEYNOTE  PRESENTATION 

ANN  CAVOUKIAN,  PRIVACY 
COMMISSIONER,  ONTARIO,  CANADA 


Join  your  peers  at  the  de  facto  venue  for  women  of  influence. 
For  more  information  on  the  EWF  or  to  register,  please  visit: 
www.infosecuritywomen.com 


The  Executive  Womens  Forum  gave  me  a 
renewed  ‘can-do’  spirit.  There  are  few— if 
any— forums  that  offer  this  unique  combination 
of  keen  intellect,  practical  application  of 
information  security,  and  female  bonding.  ” 

MARYANN  DAVIDSON,  CSO,  Oracle  Corp. 


The  Executive  Womens  Forum  was  a  milestone 
event  in  my  career.  I  came  away  re-energized, 
with  many  thought-provoking  ideas  to  use  in 
my  own  life,  and  with  an  expanded  network 
of  friends  and  colleagues.  ” 

LINDA  M.  STUTSMAN,  SVP,  Bank  of  America 


EXECUTIVE  COACHING 

Rhonda  MacLean,  CISO,  Bank  of  America 

EXECUTIVE  LEADERSHIP: 

WHAT  KEEPS  YOU  UP  AT  NIGHT? 
Moderator:  Teri  Shaffer,  partner, 

Ernst  &  Young 

STRATEGIC  SMARTSOURCING: 
CHALLENGES  AND  SOLUTIONS 
Moderator:  Simone  Seth,  global  director 
of  data  privacy,  Deutsche  Bank 

KEY  CHALLENGES  IN  PRIVACY  TODAY 


Moderator:  Michele  Drgon,  CPO,  Motorola 


TECHNICAL  ISSUES  AND  SOLUTION 
APPROACHES:  NEW  TECHNOLOGIES 
Moderator:  Diana  Kelley,  executive 
security  advisor,  Computer  Associates 


CRYSTAL  BALL:  FUTURE  TECHNOLOGY 
Moderators:  Becky  Bace,  president  and 
CEO,  Infidel,  Inc.  and  Stephanie  Fohn, 
former  president,  Security  Focus 


.2 ' 

r  4 

1  w  J 

i  r 

3 

lJi 

Li 

WjjzM 

WOMEN  OF  INFLUENCE  AWARDS 


Be  sure  to  submit  your  nomination  for  the  inaugural  Women 
of  Influence  Awards,  copresented  by  CSO  magazine  and  Alta 
Associates.  These  awards,  honoring  four  women  for  their 
accomplishments  and  leadership  roles  in  the  fields  of  security, 
risk  management  and  privacy,  will  be  announced  at  an  awards 
ceremony  during  the  Executive  Women’s  Forum.  Nomination 
forms  can  be  found  at  www.infosecuritywomen.com. 
Nominations  must  be  submitted  by  July  2,  2004. 


Media  sponsor  and 
awards  co-presenter: 

CSO 

The  Resource  for 
Security  Executives 


Forum  host  and  awards  co-presenter: 


Specialists  in  Executive  Recruitment 


If  you’re  not  thoughtful  about  your  approach  to  balancing  computer  security  with 
computer  usability,  you  may  end  up  with  neither  By  Simson  Garfinkel 


NE  OF  THE  HARDEST 
things  about  computer  security  is  making 
the  so-called  secure  computers  easy  to  use. 
Indeed,  building  computers  that  are  both 
secure  and  usable  is  so  difficult  that  many  IT 
professionals  believe  that  security  and  usabil¬ 
ity  are  antagonistic  goals  that  must  be  bal¬ 
anced. 

Think,  for  example,  about  passwords. 
Computers  without  passwords  are  easy  to 
use,  but  not  very  secure;  anyone  who  sits 
down  at  the  machine’s  keyboard  or  logs  on 
over  the  network  can  access  anything  he 


wants.  However,  access  controls— long, 
difficult-to-guess  passwords  that  prevent  the 
bad  guys  from  breaking  in  and  learning  the 
computer’s  secrets— make  computers  diffi¬ 
cult  to  use.  So  organizations  naturally  weigh 
security  needs  against  user  convenience. 

The  problem  with  this  balancing  act  is 
that  it  often  produces  systems  that  are  nei¬ 
ther  secure  nor  usable.  The  extremely  usable 
system  without  passwords  won’t  be  much 
use  if  somebody  breaks  in  and  deletes  all  of 
its  files.  And  the  secure  system  with  the  hard- 
to-guess  passwords  won’t  be  very  secure  after 


users  post  their  passwords  on  little  yellow 
stickies. 

One  reason  that  security  traditionally  has 
been  viewed  as  the  enemy  of  usability  has  to 
do  with  the  way  that  security  was  incorpo¬ 
rated  into  many  traditional  computing  envi¬ 
ronments.  Until  very  recently,  security  was 
frequently  an  extra— something  added  to 
existing  operating  systems  and  applications. 
Want  to  encrypt  your  business  plan?  Start 
with  a  word  processing  application,  save  the 
document  in  a  file,  then  go  back  to  that  file 
and  encrypt  it  with  a  file  encryption  program 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


June  2004  www.csoonline.com  53 


Technologies,  Tools 

^nH  mrtirQ 


to  add  the  missing  security.  Of  course, 
the  deleted  copy  of  the  business  plan  is 
still  floating  around  on  your  hard  disk,  so 
you  also  have  to  run  a  special  program  to 
sanitize  the  hard  disk. 

All  of  these  extra  steps  take  work  and 
require  training.  Make  a  mistake,  and 
you  might  unknowingly  compromise  the 
system's  security  or,  even  worse,  wipe  out 
your  data. 

Today,  features  like  file  encryption  and 
disk  sanitization  are  built  directly  into 
applications  and  operating  systems.  The 
result  is  that  using  cryptography  to  pro¬ 
tect  a  document  is  now  much  easier.  For 
example,  both  Microsoft  Word  and  Adobe 
Acrobat  let  you  put  a  “password”  on  a  file 
when  you  save  it.  This  so-called  password 
is  actually  used  to  generate  an  encryption 
key  that,  in  turn,  is  used  to  encrypt  your 
document.  When  you  go  to  open  the  file, 
the  application  sees  that  the  file  has  been 
encrypted  and  prompts  the  user  for  the 
password  once  again.  A  valid  password 
can  be  used  to  decrypt  the  file,  while  an 
invalid  one  results  in  gibberish. 

Sanitizing  disk  drives  is  also  getting 
easier.  Apple’s  Mac  OS  version  10.3,  for 
example,  gives  users  the  option  to  “Empty 
Trash”  or  “Secure  Empty  Trash.”  Choose 
the  Secure  option  and  the  operating  sys¬ 
tem  overwrites  every  block  in  each 
deleted  file.  Likewise,  the  Mac  OS  disk 
format  program  now  allows  you  to  click 
a  button  labeled  “options”  to  explicitly 
wipe  every  block. 

Using  the  User 

Building  security  into  desktop  applica¬ 
tions  in  a  way  that  makes  the  security 
easy  to  use  can  be  a  difficult  task— most 
programmers  have  a  hard  time  building 
systems  that  are  usable  or  secure  in  the 
first  place. 

Consider  the  problem  of  basic  appli¬ 
cation  design.  Usability  engineering  is 
difficult  for  most  programmers  because  a 
programmer  usually  designs  software  for 
a  single  user:  himself.  But  different  peo¬ 
ple  use  complicated  software  differently. 
Often,  people  who  think  like  the  original 
programmer  find  the  program  easy  to 
use,  while  people  who  think  differently 
find  the  program  incomprehensible. 


Academics  have  learned  a  lot  over  the 
past  decade  about  how  to  build  software 
that’s  user-friendly  for  a  broad  spectrum 
of  users.  An  important  principle  for 
usability  is  that  of  iterative  design.  Once 
an  application’s  user  interface  is  designed, 
it’s  important  to  put  it  in  front  of  users 
and  see  how  they  use  it,  sometimes  under 
the  watchful  eye  of  a  small  focus  group. 
Ideally,  the  developers  will  observe  both 
inexperienced  and  expert  users  attempt¬ 
ing  to  use  the  prerelease  applications. 
They  can  observe  the  users’  frustrations 
and  then  go  back  and  fix  the  code. 

Iterative  design  is  very  successful  for 
designing  word  processing  and  stock¬ 
trading  applications.  But  when  it  comes 
to  security  measures,  iterative  design  isn’t 
enough.  That’s  because  users  are  ill- 
equipped  to  make  valid  security  judg¬ 
ments. 

Consider  once  again  the  issue  of  file 
encryption.  There’s  a  big  difference 
between  using  a  password  to  create  an 
encryption  key,  and  simply  storing  the 
password  in  a  file  and  then  checking 
when  the  file  is  opened  to  see  if  the  pass¬ 
word  in  the  file  matches  what  the  user 
typed  in.  In  the  first  case  the  contents  of 
the  file  are  truly  unrecoverable  unless  you 
can  guess  the  password.  In  the  second 
case,  the  file’s  contents  can  be  recovered 
by  opening  the  file  with  another  program 
and  looking  at  the  raw  data. 

Observing  a  focus  group  may  tell  you 
how  difficult  it  is  to  find  the  dialog  box 
that’s  password-protecting  a  file.  But 
focus  group  participants  are  paid  to  run 
the  software,  not  to  look  for  ways  to  com¬ 
promise  its  security.  The  group  won’t  be 
able  to  tell  you  that  Microsoft  Word  uses 
the  RC2  encryption  algorithm  with  a  40- 
bit  key  when  it  saves  a  file  with  a  pass¬ 
word,  while  Intuits  Quicken  doesn’t  use 
any  encryption  at  all. 

Yet  this  difference  has  real  security 
implications:  use  a  block-level  disk  editor 
to  open  a  password-protected  Word  file 
and  you’ll  see  just  gibberish,  but  look  at 
the  contents  of  a  Quicken  file  and  you’ll 
see  the  names  of  all  the  payees  in  the 
check  register. 

Clearly,  synergy  between  usability  and 
security  requires  that  software  start  with 


Messaging 

Matters 

INSTANT  MESSAGING-employees  love  it,  but  CISOs 
regard  it  with  ambivalence  (at  best).  IM  ramps  up  a 
company’s  real-time  communication,  and  offers 
potential  productivity  and  customer-service  benefits. 
At  the  same  time,  IM  can  carry  intellectual  property 
out  of  the  company,  and  viruses  in. 

So  what’s  a  well- 
intentioned  security 
leader  to  do?  The  IT  I 
department  can’t  sim- 
ply  block  the  use  of  IM.  1  y 

Yet  giving  users  free  rein  to  1  %■■■, 

choose  among  IM  products— 
with  their  varying  levels  of  application  secu-  V 
rity-bypasses  a  profusion  of  easy-to-use, 
add-on  IM  security  products.  Michael  Osterman, 
founder  and  president  of  Osterman  Research,  says 
roughly  70  percent  of  companies  still  rely  on  con¬ 
sumer-grade  products  from  AOL,  MSN  and  Yahoo 
rather  than  software  engineered  for  enterprise  use. 

“In  companies  that  have  established  a  corporate  stan¬ 
dard,  34  percent  have  settled  on  one  or  more  of  these 
products,"  he  says.  As  for  companies  that  are  either 
forbidding  IM  use  or  attempting  to  curb  IM  traffic, 
Osterman’s  research  suggests  that’s  an  unsustainable 
strategy:  45  percent  of  respondents  to  an  April  2004 
survey  report  that  they  are  unable  to  block  all  IM 
clients,  which  he  says  “tend  to  be  very  resourceful.” 

Osterman  says  that  there  are  three  important 
attributes  of  IM  security:  basic  encryption,  ensuring 
that  messages  reach  only  the  intended  recipients; 
archiving,  so  as  to  preserve  the  content  of  messages 
(especially  important  in  financial  services  companies 
where  regulations  require  retention  of  electronic 
discussions);  and  what  Osterman  calls  name-space 
control,  which  involves  enforcing  a  policy  on  employee 
IM  screen  names  within  a  corporate  directory. 

Here  are  six  examples  of  companies  whose 
products  may  help  businesses  get  a  grip  on  IM. 

Akonix  www.akonix.com 

Akonix  claims  that  its  L7  Enterprise  product  aims  to 
bring  security,  real-time  management,  reporting  and 
regulatory  compliance  to  the  wild  world  of  enterprise 
IM.  The  product  supports  AOL,  ICQ,  MSN  and  Yahoo 
IM  clients-with  optional  connectors  for  integrating  IM 
traffic  from  IBM,  Microsoft  and  Reuters.  L7  Enterprise 
offers  real-time  policy  enforcement  and  management, 
plus  other  features  such  as  logging  and  archiving. 


54  www.csoonline.com  June  2004 


WHEN  THE  INFRASTRUCTURE  IS  LOST,  ACCESS  TO  THE  INFORMATION  ISN’T. 

THAT’S  INFORMATION  AVAILABILITY. 


Constant,  uninterrupted  access  to  critical  data.  Even  when  something  goes  wrong.  That’s  Information  Availability.  The  power  is  always  ori.  The  network 
is  always  there.  Systems  are  always  ready.  And  there’s  no  better  provider  of  Information  Availability  than  SunGard.  As  the  experts  in  Disaster  Recovery, 
we've  spent  25  years  building  secure,  redundant,  hardened  infrastructures.  We’ve  seen  what  can  go  wrong  and  we  know  how'to  prevent  it.  So  you  can 
relax,  knowing  your  information  is  always  there.  No  matter  what  happens,  your  business  stays  SUNGARD1 

in  business  For  more  information,  visit  www.availability.sungard.com  or  cal  IT -800-468-7483.  Availability  M 


•j* 

1  mJL  3  I 

V  ' 

F#  “ 

jV: 

*  M 

a  secure  substrate.  No  matter  how  easy 
Intuit  makes  putting  a  password  on  that 
Quicken  file,  the  underlying  data  will 
never  be  secure. 

Good  Recovery 

A  good  user  interface  sitting  atop  a  strong 
security  substrate  is  a  good  start,  but  it’s 
still  not  enough  to  create  applications 
where  security  and  usability  go  hand-in- 
hand.  That  extra  step— something  I  call 
“secure  usability”— comes  from  a  user 
interface  that  guides  the  user  to  secure 
practices  by  making  other  practices  dif¬ 
ficult  or  impossible. 

Let’s  return  to  Apple’s  two  commands 
for  emptying  the  computer’s  trash.  Both  of 
these  commands  cause  the  operating  sys¬ 
tem  to  display  a  dialog  box  that  asks  for 
confirmation.  But  the  two  dialog  boxes 
have  subtly  different  wording.  Choose 
“Empty  Trash”  and  the  operating  system 
warns:  ‘You  cannot  undo  this  action.”  But 
if  you  choose  the  “Secure  Empty  Trash” 
command,  the  confirmation  box  states: 
“If  you  choose  Secure  Empty  Trash,  you 
cannot  recover  the  files.” 

What’s  the  difference  between  an 
action  that  cannot  be  undone  and  files 
that  cannot  be  recovered?  A  practitioner 


versed  in  computer  forensics  will  hone 
in  on  the  word  “recover”  in  the  second 
warning.  There  are  many  tools  for 
recovering  data  that  has  been  acciden¬ 
tally  deleted.  Norton  Utilities  for  Macin¬ 
tosh,  for  instance,  comes  with  three  “data 
recovery”  programs— Volume  Recover, 
UnErase  and  FileSaver.  The  wording  of 
Apple’s  warnings  subtly  implies  that  the 
data  recovery  tools  will  be  able  to  retrieve 
files  that  have  been  deleted  but  not  those 
that  were  securely  deleted. 

This  subtle  difference  is  exceedingly 


important,  but  is  almost  certainly  lost  on 
the  majority  of  Apple’s  users.  One  reason, 
I  suspect,  is  that  the  phrase  “Secure 
Empty  Trash”  doesn’t  have  any  obvious 
parallel  in  day-to-day  life. 

What  might  make  more  sense  would 
be  to  have  the  operating  system  integrate 
the  ideas  of  delete,  sanitize  and  recover 
with  a  single  user  interface.  Gone  would 
be  the  trash  can;  instead,  the  computer’s 
disk  would  be  used  to  house  a  large  data¬ 
base  that  would  hold  many  intermediate 
versions  of  every  file  that  you  had  ever 
worked  on.  There  would  be  no  option  of 
“Empty  Trash”;  instead,  the  computer 
would  automatically  delete  intermediate 
files  as  necessary  to  free  up  space.  Of 
course,  at  times  users  might  want  to 
remove  all  traces  of  a  document  from 
their  hard  drives.  To  do  that,  they  could 
select  the  file  and  drag  it  to  an  electronic 
shredder,  which  would  have  a  direct  par¬ 
allel  to  the  physical  world. 

I  believe  that  we  can  ultimately  resolve 
many  of  the  apparent  conflicts  between 
security  and  usability  in  a  way  that 
addresses  both  concerns.  In  the  case  of 
passwords,  the  answer  would  be  to  use 
fairly  short  passwords  but  to  constantly 
monitor  users’  behavior  to  see  if  they  do 


anything  out  of  the  ordinary.  If  a  sales¬ 
man,  for  instance,  starts  trying  to  down¬ 
load  secret  plans  for  an  unannounced 
product,  I  would  want  that  salesman 
stopped— even  if  he  authenticated  using 
a  password,  a  smart  card  and  an  iris  scan¬ 
ner.  The  balance  between  security  and 
usability  should  be  fluid,  not  fixed.  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based 
in  the  Boston  area.  He  is  also  CTO  of  Sandstorm  Enter¬ 
prises,  an  information  warfare  software  company.  He 
can  be  reached  at  machineshop  i  cxo.com. 


Endeavors  Technology 

www.endeavorstechnology.com 
Endeavors’  Magi  Secure  IM  product  allows  its  cus¬ 
tomers  to  secure  all  public  IM  users— regardless  of 
which  IM  application  they’re  using.  Its  features 
include  certificate-based  authentication  (built  on 
technology  from  RSA  Security).  Magi  Secure  works 
with  AOL,  MSN  and  Yahoo  clients. 

FaceTime  Communications  www.facetime.com 
At  the  core  of  FaceTime’s  IM  suite  is  IM  Director, 
which  provides  multinetwork  connectivity  and  secu¬ 
rity,  auditing,  routing  and  management  controls.  In 
addition,  its  applications  integrate  with  existing  IT 
applications  including  antispam,  content  scanning 
and  encryption  software,  among  others,  in  order  to 
protect  existing  technology  investments. 

IMIogic  www.imlogic.com 
The  IMIogic  IM  Manager  provides  a  centralized  way  to 
manage  security  and  policy  enforcement  for  IM  usage, 
and  it  works  with  a  very  broad  range  of  IM  clients. 
IMIogic  claims  that  IM  Manager  is  the  only  IM  manage¬ 
ment  application  deployed  that  supports  more  than 
80,000  seats  in  a  single  global  installation  across 
multiple  IM  networks.  IM  Manager  offers  out-of-the- 
box  support  for  archiving  and  other  compliance- 
related  features  as  well  as  real-time  performance 
monitoring. 

Sigaba  www.sigaba.com 

Sigaba  Secure  IM  enables  corporate  users  to  conduct 
multiuser  conversations  from  desktop  computers  and 
other  platforms,  and  to  collaborate  with  workgroups, 
the  customer  base  and  across  enterprises.  It  offers 
authentication  at  both  ends  of  the  conversation,  digi¬ 
tal  signatures,  encryption,  integrity  checking  and 
antivirus  scanning. 

SurfControl  www.surfcontrol.com 
SurfControl’s  Instant  Message  Filter  helps  companies 
manage  IM  virus  and  bandwidth  monitoring— while 
also  protecting  their  data  and  network  by  limiting  or 
blocking  access  to  unauthorized  public  IM  programs, 
even  down  to  a  unique  IP  address,  group  or  subnet¬ 
work. 

-Thomas  Wailgum 


Today,  features  like  file  encryption 
and  disk  sanitization  are  built  directly  into 
applications  and  operating  systems.  The 
result  is  that  using  cryptography  to  protect  a 
document  is  now  much  easier. 


56  www.csoonline.com  June  2004 


cso 


perative : 

‘ng  New  Value 

y  Leveraging 

Legacy  Systems 


Custom  Publishing 

Advertising  supplement  The  Agile  Enterprise  ■  A  Brave  New  World  ■  Tools  of  the  Trade 


Ascential 


Software 


Q  Your  single  source  for  enterprise  data  integration.  Confidence  for  your  business. 

Certainty  in  jyour  decisions  comes  from  confidence  in  your  data.  This  is  essential  to  the  success  of 
today's  businesses.  And  Ascential  Software  is  leading  the  way.  Through  our  comprehensive,  integrated 
enterprise  cjata  integration  suite,  you'll  have  the  right  data  at  the  right  time  to  drive  your  business 
with,  yes,  qbnfidence.  We've  been  delivering  on  this  promise  for  many  years.  We'll  be  doing  it  for 
many  more/to  come.  In  fact,  more  than  3,000  of  the  world's  leading  organizations  already  consider  us 
a  single  source  for  data  integration.  Visit  our  Web  site  today — and  tap  into  the  power  of  confidence. 
www.ascential.com/cio 


|o®  o  o  You  know  that  voice  in  your  head  that 
questions  every  decision  you  make? 

Soon  it  will  be  speechless 


www.ascential.com/cio 


Copyright ©  2004  Ascential  Software  Corporation.  All  rights  reserved 


ADVERTISING  SUPPLEMENT 


agenda 

NETWORK  SEGMENTATION 

By  Kris  Zupan,  CEO/CTO,  e-DMZ  Security 

[Editor’s  Note:  In  our  April  2004  edition,  Strategic  Directions  inad¬ 
vertently  included  an  unattributed  summary  of  Kris  Zupan’s 
“Network  Segmentation”  advice.  With  permission  from  e-DMZ 
Security,  the  piece  is  reprinted  here  in  its  entirety.] 

As  many  have  seen,  I  have  been  quoted  lately  discussing 
Network  Segmentation  as  an  increasingly  important  piece  of  a 
company’s  IT  security  policy.  Network  segmentation  is  not  a  new 
concept,  and  definitely  not  something  I  can  take  credit  for  design¬ 
ing.  It  has  been  discussed  since  routing  protocols  became  com¬ 
monplace  in  business  networks,  and  my  first  practical  application 
of  network  segmentation  occurred  in  the  mid  1990’s. 

The  problem  then  was  the  same  as  it  is  now;  routable  protocols 
like  TCP/IP  are  designed  to  be  able  to  go  anywhere  from  any¬ 
where.  The  difference  between  the  late  90s  and  today  is  that  there 
are  more  reasons  to  connect  networks  (ranging  from  ERP  systems 
like  SAP  to  remote  support  requirements  exacerbated  by  corpo¬ 
rate  downsizing)  and  more  danger  in  these  connections  (as  evi¬ 
denced  by  Code  Red,  Nimda,  Slammer,  and  Blaster). 

While  many  companies  have  embraced  segmentation  to  control 
the  flow  of  routable  traffic,  I  predict  that  by  the  end  of  2005  this 
will  become  the  defacto  model  for  companies  that  have  special 
purpose  networks.  Networks  like  Funds  Transfer  Networks, 
Process  Control  Networks,  Clinical  Trials,  and  R&D  will  all  have 
some  form  of  segmentation  to  protect  against  the  next  wave  of 
network  pathogens.  The  good  news  is  that  the  tools  at  IT’s  dispos¬ 
al  today  have  matured  at  approximately  the  same  pace  as  the 
exploits,  and  solutions  exist  that  provide  this  capability  today.  The 
bad  news  is  that  companies  that  have  not  utilized  these  solutions 
may  find  a  segmented  network  unmanageable. 

My  suggestions  for  companies  that  are  exploring  this  approach 
(Network  Segmentation)  are  as  follows: 

1  •  Make  sure  that  you  leverage  the  experience  of  those  who  have 
already  successfully  implemented  network  segmentation  on  a 
scale  similar  to  your  network. 

2.  Understand  your  network  before  designing  any  segmentation. 
Though  TCP/IP  growth  has  made  many  other  network  proto¬ 
cols  seem  less  important,  you  may  find  significant  parts  of 
your  business  running  other  protocols. 

3  •  Understand  how  segmentation  affects  your  operations  model. 
If  you  use  SNMP  or  ICMP  as  your  monitoring  protocol,  will 
segmentation  affect  your  Service  Levels? 

4*  Understand  the  details  of  the  traffic  passing  between  the  net¬ 
works  you  desire  to  segment.  Don’t  take  a  one-day  sample. 

5  •  Start  small.  Understand  your  Enterprise  strategy,  but  do  not 
try  to  turn  it  all  on  at  once. 


JUNE  1,  CIO/JUNE  CSO  •  VOLUME  6,  NUMBER  2 


The  Agile  Enterprise 

4  Constructing  the  Agile 
Enterprise 

It's  Hard-But  Necessary  to 
Make  Business  Look  Easy 

8  Leveraging  the  Mainframe 
Where  60  Percent  of  Corporate 
Data  Stilt  Resides 

12  Topline  Value: 

How  Integration  Makes  Money 

A  Brave  New  World 

14  A  Brave  New  World 

Web  Services ,  SOA  and 
Event-Driven  Architecture 

16  The  ROI  of  Web  Services 

17  Integration  Best  Practices  to 
Remember 

2  O  What  is  Service-Oriented 
Architecture? 

Tools  of  the  Trade 

21  Tools  of  the  Integration  Trade 
Begin  with  the  Data 

21  The  Four-Step  Approach  to 
Attaining  Great  Data 


CORRECTION 

In  our  April  2004  edition,  Strategic 
Directions  inadvertently  published 
outdated  information  regarding 
General  Electric’s  results  from  its 
use  of  Courion’s  PasswordCourier 
self-service  password  management 
solution.  We  regret  the  oversight. 


STRATEGIC  DIRECTIONS  3 


the  agile  enterprise 


ADVERTISING  SUPPLEMENT 


IT'S  HARD-BUT  NECESSARY-TO  MAKE  BUSINESS  LOOK  EASY 


With  each  passing  year,  business¬ 
es  have  less  time  to  do  busi¬ 
ness.  A  few  years  ago,  for 
instance,  responses  to  call  cen¬ 
ter  inquiries  took  about  eight 
hours.  Now  a  typical  response  occurs  in  10  seconds. 
Building  a  personal  computer  used  to  take  six  weeks; 
these  days  it’s  accomplished  in  just  24  hours. 

Staying  competitive  and  successful  as  the 
velocity  of  business  processes  escalates  means 


THE  DANGERS  OF  COMPLEXITY 

Between  now  and  2007,  65  percent  of  enterprises  will  mis¬ 
manage  technological  complexity  and  risk. 

Outcome:  Stifled  productivity  and  earnings,  cost  inflation 
of  at  least  25  percent. 


rethinking  and  reengineering  not  only  the 
processes  themselves  but  the  IT  systems  and 
networks  that  help  manage  and  execute  them. 
Isolated,  stovepipe  applications  and  data  stores 
just  won’t  cut  it  anymore. 

“Traditionally,  IT  departments  have  supplied 
solutions  that  provided  approximations  of  the  busi¬ 
ness  requirements  and  functionality  actually  need¬ 
ed.  Worst-case  scenario  was  that  the  business  had  to 
change  its  processes  to  meet  the  requirements  of  the 
IT  solutions,”  says  Markus  Nitschke,  vice  president 
of  corporate  marketing  at  Attachmate  Corp.  “This 
situation  is  clearly  unsatisfactory  and  needs  to  be 


addressed  with  a  revolutionary  approach  to  software 
and  system  design.” 

Yet  few  enterprises  can  afford  to  junk  the 
multi-generational  IT  infrastructure  they’ve 
spent  decades  creating.  Building  a  whole  new  IT 
environment  from  scratch  is  not  only  prohibi¬ 
tively  expensive,  it’s  also  impossibly  disruptive 
to  the  business. 

The  solution?  Integrate  legacy  systems  with  each 
other  and  with  emerging  capabilities  to  inject  new 
value  into  the  enterprise. 

“Extending  the  life  of  legacy  systems  and  data 
stores  by  remodeling  and  integrating  those  com¬ 
ponents  with  new  application  initiatives  is  essen¬ 
tial  for  running  a  business  in  zero-latency  mode,” 
says  Nitschke. 

The  Information  Daisy  Chain 

But  the  process  isn’t  easy,  according  to  AMR 
Research.  Consider  the  following  (from  the  2003 
AMR  Research  article  “Rethinking  Integration 
Decisions  to  Support  Your  Customer 
Requirements”): 

•  The  typical  company  has  five  order  management 
systems  and  four  order  fulfillment  systems. 

•  Many  companies  require  customers  to  place  dif¬ 
ferent  orders  through  separate  systems. 

•  Many  companies  have  little  or  no  linkage  between 
their  front-  and  back-office  systems. 

•  In  most  organizations,  customer  data  is  not  cen¬ 
trally  managed,  resulting  in  errors,  duplication 
and  task  redundancy. 

According  to  the  research  company  IDC,  organi¬ 
zations  have  an  average  of  49  applications  and  14 
databases  that  need  to  be  integrated.  Generally,  no 


\  #1 


Source:  Gartner,  Inc. 


4  STRATEGIC  DIRECTIONS 


ADVERTISING 


SUPPLEMENT 


more  than  20  percent  of  customer  data  is  housed 
in  a  single  location. 

That’s  because  in  most  organizations,  minimal 
integration  is  built  into  new  development  projects. 
By  pulling  in  only  the  data  and  processes  required 
by  the  new  application,  companies  have  created 
unwieldy  daisy  chains  of  data  that  support  a  frail  and 
costly  tangle  of  software. 

Those  that  have  attempted  large-scale  integra¬ 
tion  have  had  to  use  brute  force  to  con¬ 
struct  customized  interfaces  to  legacy 
environments — which  is  expensive  and 
never  ending. 

“Application  integration,  software  devel 
opment,  process  automation/workflow 
and  business  intelligence  are  no  longer  dis¬ 
crete  disciplines  that  CIOs  can  afford  to 
practice  independently,”  says  Trevor  Matz, 
InterSystems  Corp.’s  managing  director  of 
application  integration. 

Although  the  enormous  volume  of 
transactional  data  and  messages  gener¬ 
ated  by  corporate  silos— such  as  data, 
applications  and  systems — is  processed 
in  a  point-to-point  and  therefore  very 
disjointed  fashion,  it  needs  to  be  pooled,  shared 
and  married  to  business  processes,  often  in  as  close 
to  real  time  as  possible,  and  without  sacrificing 
security. 

“To  ensure  sound  system  security  when  integrat¬ 
ing  data,  CIOs  should  consider  real-time  solutions 
that  record  operational  activities  as  they  occur  on 


Hiding  Complexity  With  Services 

Cost-effective  integration  requires  something  else: 
hiding  the  arcane  complexities  of  earlier  genera¬ 
tions  of  IT  infrastructure — not  only  the  mainframe 
monoliths  and  subsequent  two-and  three-tiered 
distributed  architectures,  but  also  the  data,  the 
business  logic,  the  user  interfaces  and  the  process 
workflows — behind  layers  of  abstractions  based  on 
industry-accepted  standards. 


For  this  to  work,  companies  must  do  two  things: 
Use  an  agreed-upon  abstract  language  to  translate 
the  arcanities  of  their  data,  business  logic,  operat¬ 
ing  environments  and  even  business  processes. 
Encapsulate  both  the  processes  and  much  of  the 
technical  knowledge  and  skill  needed  to  engage  in 
them  as  modular  services. 


INTEGRATION  CHALLENGES 

•  Avoiding  culture  wars:  Partnership  and  merger/acquisition  demand 
cultural  as  well  as  technical  integration 

•  Unifying  new  technology  and  legacy  systems 

•  Coping  with  the  complexity  of  integrating  many  diverse  systems 
and  environments 

•  Coordination  and  cooperation 

•  Lack  of  sufficiently  evolved  standards,  immature  technologies 

•  Lack  of  appropriate  skills 


"Extending  the  Life  of  Legacy  systems  and  data 
stores  by  remodeLing  and  integrating  those  compo¬ 
nents  with  new  appLication  initiatives  is  essentiaL 
for  running  a  business  in  zero-Latency  mode." 

Markus  Nitschke,  vice  president  of  corporate  marketing  at  Attachmate  Corp. 


source  applications,”  says  Nigel  Stokes,  CEO  and 
president,  DataMirror  Corp.  “The  solutions  should 
be  capable  of  tracking  changes  made  to  an  applica¬ 
tion  database,  identifying  users  and  recording  other 
pertinent  information.  With  real-time  auditing 
capabilities,  companies  can  take  advantage  of  an 
integrated  enterprise  while  ensuring  all  data  remain 
secure,  end  to  end.” 


Once  that  happens,  data,  applications  and  business 
processes  can  be  universally  accessed,  shared,  recon¬ 
ciled,  recombined  and  analyzed  automatically  and 
without  the  aid  of  expensive  experts.  And  companies 
can  continue  to  use  (for  a  while,  anyway)  their  legacy 
databases,  applications  and  platforms. 

Furthermore,  the  service  modules  in  effect  make 
corporate  IT  functionality  available  on  the  network 


STRATEGIC  DIRECTIONS  5 


ADVERTISING  SUPPLEMENT 


The  Power  to  Manage,  Monitor  and 
Protect  Corporate  Data  in  Real-Time 


PROFILE 


DataMirror  is  a  leading  provider  of 
live,  secure  data  integration  and  pro¬ 
tection  solutions  that  give  compa¬ 
nies  the  power  to  manage,  monitor  and  protect  their 
corporate  data  in  real  time. 

Since  its  inception  in  1993,  DataMirror  has  contin¬ 
ued  to  position  itself  as  an  innovator  and  thought 
leader  in  the  real-time  data  integration  market  and 
has  played  an  instrumental  role  in  pioneering  the 
concept  of  the  real-time  enterprise  (RTE). 

UNLOCK  the  experience  of  now ™ 

DataMirror's  comprehensive  family  of  LiveBusiness™ 
solutions  helps  customers  easily  and  cost-effectively 
capture,  transform  and  flow  data  throughout  the 
enterprise.  DataMirror  unlocks  the  experience  of 
nowm  by  providing  the  live,  secure  data  access,  inte¬ 
gration  and  availability  companies  require  today 
across  all  computers  in  their  business. 

DataMirror  is  a  publicly  funded,  financially  stable 
company  with  a  strong  business  model  that  has 
helped  the  company  progressively  grow  quarter  over 
quarter  and  year  over  year. 

TREMENDOUS  ROI 


With  more  than  1,800  successful  customer  imple¬ 
mentations  worldwide,  DataMirror  is  an  estab¬ 
lished  leader  in  the  data  integration  and  resiliency 
market.  DataMirror's  customer  list  reads  like  a 
"who's  who"  of  industry  leaders— Baxter 
Healthcare,  Campbell  Soup,  Debenhams,  FedEx 
Ground,  Harley-Davidson,  Pfizer,  Tiffany  &  Co  and 


Union  Pacific  Railroad,  just  to  name  a  few. 

These  and  other  customers  have  gained  tremen¬ 
dous  ROI  from  their  DataMirror  software  implemen¬ 
tation.  Examples  include: 

•  A  financial  services  organization  integrating  15 
million  transactions  each  day 

•  A  food  and  beverages  company  saving  38  person-days 
of  development  work  on  its  data  warehousing  project. 

•  An  insurance  company  bringing  to  market  a  new 
web  initiative  in  half  the  scheduled  time 

•A  mutual  funds  company  reducing  system  recovery 
time  from  12-48  hours  to  30  minutes 
•A  telecommunications  company  estimating  saving 
US$350,000  an  hour  in  downtime  costs 

•  Most  significantly,  a  Fortune  500  manufacturing 
company  reporting  saving  US$2.9  million  over  two 
years  in  data  warehousing  costs  and  US$30,000  an 
hour  in  downtime  costs,  while  reducing  overall  IT 
spending  by  approximately  20  percent. 

To  discover  how  your  business  can  benefit  from 
DataMirror's  solutions,  contact  a  representative  today: 
DataMirror,  3100  Steeles  Avenue  East,  Suite  1100, 
Markham,  Ontario  L3R  8T3; 

Phone:  905-415-0310  (toll  free:  1-800-362-5955); 

Fax:  905-415-0340;  E-mail:  info@datamirror.com 
Web:  www.datamirror.com 

DataMirror 

THE  EXPERIENCE  OF  NOW." 


as  discoverable  entities  that  can  be  recombined  by 
users  to  invent  new  capabilities,  with  little  or  no  help 
from  IT  staff. 

It’s  not  hard  to  see  how  powerful  this  kind  of 
abstraction — collectively  called  web  services  and 
service-oriented  architecture — can  be  both  to  IT 
integration  efforts  and  the  automation,  monitoring 
and  management  of  business  activities. 

“Service-oriented  architecture  implemented 
across  diverging  IT  systems  within  an  organization 
will  not  only  solve  the  integration  challenges,  but 
also  put  the  infrastructure  in  place  to  release  future 
applications  that  meet  business  requirements  more 
effectively,  in  a  less  time-consuming  fashion,”  says 
Attachmate’s  Nitschke. 


For  example,  at  the  Florida  Department  of  Children 
and  Families  (DCF),  as  much  as  80  percent  of  client 
information  resides  in  legacy  systems  that  would  cost 
hundreds  of  millions  of  dollars  to  replace.  Fortunately, 
DCF  has  found  a  way  to  save  90  percent  of  that  poten¬ 
tial  expense.  Using  InterSystems  Corp.’s  Ensemble  plat¬ 
form,  the  DCF  has  integrated  the  information  in  59 
different  applications  running  on  a  variety  of  operat¬ 
ing  environments  into  a  composite  portal  application, 
called  OneFamily,  that  provides  a  single  view  of  all  rel¬ 
evant  data  about  an  individual  client. 

OneFamily  has  improved  DCF  services  delivery 
and  eased  IT  support  requirements.  And  thanks  to 
Ensemble,  its  relational  database  support  require¬ 
ments  were  cut  in  half. 


6  STRATEGIC  DIRECTIONS 


SECURE,  REAL-TIME 
DATA  SOLUTIONS. 


Looking  to  squeeze  more  performance  from  existing  systems  and  applications? 
Want  to  spend  less  time,  resources  and  costs  on  data  integration  initiatives? 

You  can  achieve  these  significant  returns  by  implementing  DataMirror  Livelntegration™ 
solutions  for  your  real-time  data  integration  needs.  Discover  how  DataMirror’s  live, 
secure  data  integration  solutions  can  deliver  360-degree  insight  into  business 
operations,  allowing  you  to  make  more  informed  operational,  strategic  and  tactical 
business  decisions,  improve  service  levels,  and  optimize  and  extend  existing  IT 
investments  to  reduce  total  cost  of  ownership. 

DISCOVER  HOW  LEADING  COMPANIES  HAVE  GAINED  COMPETITIVE  ADVANTAGE  WITH  DATAMIRROR  SOFTWARE. 
WWW.DATAMIRROR.COM/CUSTOMERS 


ADVERTISING  SUPPLEMENT 


"Application  integration,  software  development, 
process  automation/workflow  and  business 
intelligence  are  no  longer  discrete  disciplines  that 
CIOs  can  afford  to  practice  independently." 

—Trevor  Matz,  InterSystems  Corp.'s  managing  director  of  application  integration 


Event-Driven  Architecture: 

Do  You  Subscribe? 

Another  integration  challenge  lies  in  managing  busi¬ 
ness  processes  that  are  event-driven.  They  need  to 
respond  to  less  predictable,  multiple  asynchronous 
events  occurring  simultaneously. 

Event-driven  architecture  (EDA)  addresses  such 
circumstances  with  applications  composed  of  serv¬ 
ices  that  send  messages  when  multiple  asynchronous 
events  trigger  them.  The  messages  move  between 
decoupled  service  modules  that  are  totally  unaware 
of  each  other. 

When  an  event  occurs,  an  event-driven  applica¬ 
tion  sends  a  message  to  middleware  software, 
which  passes  it  on  to  subscribing  programs  want¬ 
ing  to  be  notified  of  such  events.  Thus,  the  mes¬ 
sage  gets  sent  to  many  at  once.  Rules-based  event 
processing  agents  monitor  events,  sometimes 
thousands  of  them  at  once  and  undertake  actions 
such  as  filtering,  mapping  and  applying  con¬ 
straints  to  event  data. 

EDA  designs  are  effective  for: 

•  Large  distributed  applications  aimed  at  unpre¬ 
dictable,  asynchronous  or  parallel  activities 

•  When  data  has  to  go  to  multiple  destinations 

•  Quickly  and  inexpensively  reusing  business  com¬ 
ponents  in  new  business  processes 

EDA  standards  are  incomplete — developers  are  still 
learning  their  way  around  complex  event  processing. 
Moreover,  key  parts,  such  as  development  tools,  secu¬ 
rity  and  management  capabilities,  still  must  be 
assembled  by  developers. 

Nevertheless,  observes 
Attachmate’s  Nitschke, 

“Enabling  legacy  data  sources 
and  applications  by  delivering 
them  as  web  services  can  be  the 
initial  step  toward  a  full 
service-oriented  architecture. 

Service-oriented  and  event- 
driven  architecture  can  be 


applied  not  only  to  new  development  and  design 
efforts,  but  to  all  existing  legacy  assets  as  well.” 

Solutions  to  the  complexity  and  confusion  that 
typify  much  of  data,  application,  system  and  process 
integration  are  not  just  visible  on  the  horizon. 
They’re  here.  It’s  3  a.m. — do  you  know  what  your 
main  competitor  has  integrated? 

Leveraging 
The  Mainframe: 
Where  60  Percent 
Of  Corporate 
Data  Still  Resides 

Long  the  heart  of  business  IT  investment, 

mainframe  operating  systems  and  the  host- 
class  machines  on  which  they  run  continue 
to  serve  as  key  platforms  for  critical  corporate 
workloads,  like  online  transaction  processing 
(OLTP)  and  large  single-system  image  databases.  In 
fact,  IDC  estimates  that  in  2002,  enterprises  spent 
$12.8  billion  on  these  high-end  systems. 

Although  burdensome  to  maintain  and  outdated 
in  technology,  companies  hold  on  to  their  legacy 
systems  for  several  reasons.  The  first  is  cost:  the 
200  million  lines  of  Cobol  code 
still  in  use  today  would  cost  in 
the  neighborhood  of  $7  billion  to 
replace  (at  $35  per  line  of  code). 
What’s  more,  mainframe  envi¬ 
ronments  are  easier  and  cheaper 
to  control — and  easier  to 
secure — than  distributed  com¬ 
puting  environments. 

But  mainframe  applications  are 


8  STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


Speed  Matters 

Examples  of  Integration  in  Action 

“Nothing  is  more  frustrating  to  someone  than 
stale  data — unless,  of  course,  it’s  no  access  to  the 
data  at  all,”  observes  Jim  Lupton,  vice  president  of 
information  systems  at  American  Fidelity  Assurance 
Co.  “It’s  frustrating  to  the  customer  not  to  have  the 
data  at  their  fingertips  when  it  is  convenient  for 
them.”  When  business  matters  are  at  stake,  smart 
companies  such  as  the  following  find  ways  to  make 
sure  they  can  get  at  their  data  anytime,  anywhere: 

Lyndale  Foods  Group:  Delivering  the  real-time 
data  warehouse.  Since  deploying  DataMirror’s 
Transformation  Server  as  part  of  a  data  warehouse 
initiative,  U.K. -based  Lyndale  Foods  Group  has 
standardized  reporting  across  business  units  and 
boosted  hardware  performance  without  upgrading 
or  buying  more  storage.  Sales  analysis  is  delivered 
400  percent  faster  and  with  more  confidence 
because  it’s  based  on  accurate,  up-to-date  data. 

BG  Group:  Building  an  integrated  enterprise 
portal.  The  U.K.’s  BG  Group  trades  in  the  gas 
market  and  wanted  to  replace  its  slow,  manual 
processes  with  an  easy-to-use  system  that  would 


link  10  applications  for  gas  operations,  prompt 
traders  and  allow  them  to  access  the  latest  fig¬ 
ures,  all  from  a  single  desktop. 

BG  Group  built  an  integrated  enterprise  portal 
that  aggregates  all  of  this  data — refreshed  in  real 
time — onto  a  single  dashboard.  Attachmate’s  Smart 
Connectors  pulls  data  from  each  of  the  applications 
and  feeds  the  information  into  an  Oracle-based 
repository.  The  Java-based  application  defines  stan¬ 
dard  XML  interfaces  and  methods  for  integrating 
with  multiple  environments,  including  IBM  main¬ 
frame,  Oracle  applications  and  Internet  bulletin 
boards.  The  payoff:  BG  Group  gas  traders’ 
improved  situational  awareness  has  enabled  them  to 
recoup  the  cost  of  the  new  system  within  six 
months. 

Landstar  System  Inc.:  Accelerating  data  move¬ 
ment  to  near-real  time.  Landstar  System,  a  provider 
of  transportation  capacity,  needed  a  scalable  solution 
that  would  integrate  data  from  multiple  systems  in 
real  time.  After  implementing  DataMirror’s 
Transformation  Server,  Landstar  reduced  data  move¬ 
ment  time  from  30  minutes  to  just  over  five  seconds. 
The  business  payoff:  Landstar ’s  partners  can  quickly 
access  the  most  current  data,  improving  their  ability 
to  serve  their  customers. 


often  a  bear  to  use,  while  training  staff  to  run  them 
also  eats  up  time  and  money. 

The  key  is  to  expand  access  to  mainframe  envi¬ 
ronments,  which  results  in  more  efficient,  less 
costly  operations  because  information  can  be  more 
quickly  and  easily  shared,  response  to  changing 
business  conditions  are  more  timely  and  tasks  once 
handled  by  staff  can  be  self-serviced  off  to  users 
and  customers. 

The  goal,  of  course,  is  to  be  able  to  reuse  the  busi¬ 
ness  logic  and  data  locked  away  in  mainframe  envi¬ 
ronments.  This  can  be  done  if  mainframe  data, 
process  logic  and  functional  code  are  abstracted  in 


a  standard,  commonly  accepted  way  so  that  they 
can  be  widely  accessed,  put  into  reusable  formats 
and  then  integrated  with  newer  web-based  applica¬ 
tions  where  they  can  be  repurposed. 

For  example,  with  200-plus  requests  a  day  for 
mainframe  data,  each  one  handled  manually,  IT 
managers  at  AgStar  Financial  Services  knew  some¬ 
thing  had  to  change.  They  chose  Attachmate’s 
Smart  Connectors,  which  integrate  legacy  host 
information  and  business  logic  with  new  and  cus¬ 
tom  e-business  applications.  AgStar  uses  the  Smart 
Connectors’  .NET  web  services  to  integrate  cus¬ 
tom  applications  and  mainframe  transactions. 


The  200  million  lines  of  Cobolcode  still 
in  use  today  would  cost  in  the  neighborhood 

of  $7  billion  to  replace. 


STRATEGIC  DIRECTIONS  9 


ADVERTISING  SUPPLEMENT 


Ensemble  Makes  Rapid  Integration 
a  Reality 


PROFILE 


Executives  today  are  making  major 
demands  of  their  IT  investment. 
They  want  to  increase  efficiency  by 
providing  enterprise-wide  access  to  vital  informa¬ 
tion  and  by  extending  access  to  customers  and  sup¬ 
pliers.  They  want  to  cut  costs  by  leveraging  invest¬ 
ment  in  current  applications.  They  want  to  compete 
more  effectively  and  react  more  quickly  to  changing 
business  requirements.  And  they  want  to  achieve  it 
all  very  quickly. 

These  are  the  business  drivers  that  have  made 
integration  the  #1  priority  in  most  organizations 
today.  These  are  the  demands  that  can  be  met  with 
Ensemble's  universal  integration  platform  from 
InterSystems. 

Ensemble  incorporates  the  capabilities  of  an  inte¬ 
gration  server,  application  server,  high-performance 
object  database  and  a  seamlessly  integrated  devel¬ 
opment  and  management  environment  in  a  single, 
architecturally  consistent  product.  The  result? 

Rapid,  easy,  efficient  integration. 

INTEGRATION  OF  POWER  AND  EASE 

Ensemble's  unique  fusion  of  these  previously  inde¬ 
pendent  technologies  delivers  the  power  to  handle 
any  scope  of  integration  project  with  the  ease  to 
quickly  integrate  and  rapidly  develop. 

Industry  analysts  and  customers  recognize  the 
potential  rewards  of  this  comprehensive  integra¬ 
tion  approach. 

"InterSystems'  Ensemble  product  presents  a 
unique  mixture  of  technology  not  commonly  found 
in  today's  integration  software  that  unifies  the 
data-,  process-  and  application-centric  integra¬ 


tion  worlds.  It  is  here  that  vast  gains  are  antici¬ 
pated  by  their  customers,"  says  Sandra  Rogers,  a 
senior  analyst  with  International  Data 
Corporation. 

"Ensemble  uniquely  offers  the  all-in-one  solu¬ 
tion  we  needed  to  integrate  information  and  appli¬ 
cations,  create  reports  across  our  59  systems  and 
leverage  new  technologies,"  says  Ben  Harris, 
deputy  secretary  operations  and  information  tech¬ 
nology  for  the  Florida  Department  of  Children  and 
Families  and  2004  recipient  of  a  Computerworld 
Premier  IT  100  Leaders  Award. 

A  PROVEN  TRACK  RECORD 

InterSystems,  with  its  CACHE  database,  has  built 
its  reputation  over  26  years  by  delivering  high- 
performance,  extremely  scalable,  enterprise-level 
data  management  software  that  sets  the  standard 
for  developing  high-performance  and  highly  scala¬ 
ble  applications. 

Committed  to  delivering  the  same  top-tier 
results  with  Ensemble,  InterSystems  recently  intro¬ 
duced  its  rapid  universal  integration  platform  after 
a  year  of  successful  early  adopter  projects  around 
the  globe.  The  savings  of  time  and  cost  realized  in 
those  projects  were  dramatic. 

To  learn  more  about  how  any  enterprise  can  rapidly 
integrate  applications,  visit 
www.InterSystems.com/Ensemble 

InterSystems 

E  ENSEMBLE 

Integrate  Applications  Faster 


Some  of  the  results: 

•  Electronic  fund  transfers  that  used  to  take  30  min¬ 
utes  now  get  done  in  about  two,  and  with  greater 
accuracy  (always  nice  when  money’s  involved). 

•  Some  25  steps  were  consolidated  into  a  single  task 
that  allows  frontline  staff  to  easily  process  loan 
conversions,  so  the  data  involved  no  longer  need 
to  be  sent  to  other  departments. 

•  Annual  savings  of  time  and  effort  add  up  to  $328,000. 
Scottish  Power  confronted  the  unenviable  chal¬ 


lenge  of  integrating  MVS,  AIX  and  Solaris  operat¬ 
ing  systems  with  Oracle,  Sybase  and  DB2  databases 
without  sacrificing  data  integrity  or  consistency. 
The  firm  opted  for  DataMirror’s  Constellar  Hub 
enterprise  application  integration  tool.  The  result? 
When  Ernst  &  Young  consultants  conducted  an 
audit  of  the  project,  they  concluded  that  Constellar 
Hub  had  achieved  a  return  on  investment  of  237 
percent,  with  a  payback  period  on  the  entire  cost  of 
the  project  of  just  a  year. 


10  STRATEGIC  DIRECTIONS 


INTRODUCING  ENSEMBli 


THE  FASTEST  WAY  TO  MAKE  YOUR 
APPLICATIONS  PERFORM  TOGETHER 


Imagine  your  applications  -  both  legacy  and 
new  -  performing  together  as  an  ensemble. 

That  vision  can  become  a  reality  surprisingly 
quickly  with  Ensemble,  the  comprehensive  inte¬ 
gration  platform  with  all  the  functionality  you 
need  to  rapidly  complete  any  type  of  integration 
project  on  deadline  and  on  budget.  Even  complex 
projects  you  may  have  struggled  with  in  the  past. 

With  its  unique  fusion  of  powerful  technolo¬ 
gies  for  application  integration,  development, 
deployment,  and  management,  Ensemble  enables 
extremely  fast  integration  and  rapid  development 
of  “composite  applications”  -  new  business 
solutions  that  integrate  data,  orchestrate  business 


processes,  and  enhance  the  value  of  legacy  applica¬ 
tions.  You’ll  see  real-world  evidence  of  this  in  the 
customer  testimonial  section  of  our  web  site.* 

Ensemble  is  exciting  new  software  from 
InterSystems.  Over  the  past  twenty-five  years  our 
high  performance  products  have  been  deployed 
in  more  than  100,000  mission-critical  systems 
around  the  world. 

We’re  so  confident  that  Ensemble  is  drama¬ 
tically  faster  than  any  other  integration  technology, 
we’ll  be  happy  to  begin  our  partnership  with  you 
by  conducting  a  pilot  project.  To  pursue  this, 
contact  us  at: 

www.InterSystems.com/Ensemble/Pilot 


LLLL 

I. 

LLLL 

L 


InterSystems 

ENSEMBLE 


Integrate  Applications  Faster 


*Read  how  companies  like  yours  have  integrated  applications  faster  with  Ensemble:  www.InterSystems.com/Ensemble/Customers 
If  you  are  a  System  Integrator  in  need  of  a  rapid  integration  platform,  come  to  www.InterSystems.com/Ensemble/Partners 


©  2003  InterSystems  Corporation.  All  rights  reserved.  InterSystems  Ensemble  is  a  registered  trademark  of  InterSystems  Corporation.  12  03 


ADVERTISING  SUPPLEMENT 


The  Payback  for 
Comprehensive 
Connectivity  to  Legacy 
Data  and  Business  Logic 

By  providing  a  wide  range  of  standard  interfaces 
to  legacy  data  sources  and  applications, 
Attachmate  myEXTRA!  Smart  Connectors  enable  any 
client  to  access  any  legacy  resource,  ensuring  that  the 
solutions  you  develop  today  will  work  tomorrow. 

A  study  by  IDC  of  the  impact  of  implementing 
Attachmate’s  myEXTRA!  products,  including  Smart 
Connectors,  shows  that  companies  were  able  to 
•  Lower  IT  staffing  costs  by  an  average  of  more  than 
$230,000  per  year 

•  Shave  more  than  $900,000  a  year  from  outsourcing, 
hardware  and  training  expenses 
•  Generate  an  average  of  nearly  $1.9  million  in 
savings  from  higher  user  productivity 
•  Boost  new  revenue  by  an  annual  average 
of  almost  $2.3  million  (including  capture  of 
previously  lost  revenue) 


Topline  Value: 
How  Integration 
Makes  Money 

AS  the  following  companies  can  attest,  inte¬ 
gration  does  more  than  make  systems  work 
better.  It  can  also  make  money. 

Scotts  Co.— Automating  data  cleansing.  When 
fertilizer  maker  Scotts  Co.  began  installing  an  enter¬ 
prise  resource  planning  (ERP)  system,  it  discovered 
that  plenty  of  its  data  was  just  plain  wrong.  After 
working  hard  to  cleanse  its  data,  Scotts  decided  to 
press  the  advantage  and  improve  its  forecasting  and 
replenishment  planning  by  incorporating  point-of- 
sale  data  from  its  customers. 

Ascential  DataStage™  and  Ascential  QualityStage™ 
automatically  transform  the  POS  data  according  to 
Scotts’  rules,  funnel  it  into  the  ERP  system  and  send  out 
alerts  when  the  data  doesn’t  add  up.  Another  result: 
Scotts’  customers  fixed  their  own  POS  data,  improving 
information  up  and  down  an  entire  supply  chain. 

Novo  Nordisk—  Reducing  costs  by  automating 
data  integration.  Pharmaceutical  firm  Novo 


CREATING  THE  ZERO-LATENCY  ENTERPRISE  WITH  BUSINESS  INTEGRATION 


HOW  CLOSE  are  you  to  zero-latency? 

DataMirror  CEO  Nigel  Stokes  suggests 
answering  these  questions: 

#  How  many  different  databases  scattered 
•  throughout  your  organization  contain  par¬ 
tial  information  about  a  single  customer?  How 
easy  is  it  to  consolidate  this  data  into  a  single  ver¬ 
sion  of  the  truth? 

#  How  long  does  it  take  to  compile  meaning- 
•  ful  sales  figures  or  customer  data  for  analy¬ 
sis?  How  confident  are  you  that  business  intelli¬ 
gence  is  delivered  fast  enough  to  all  the  analysts 
and  decision  makers  who  need  it?  Is  your  analysis 
always  based  on  the  most  consistent,  accurate  and 
up-to-date  information? 

9  What  level  of  drill-down  detail  are  you  able 
•  to  achieve  on  the  data?  Can  you  obtain 
data  on  particular  products  or  regions  and  granu¬ 
lar  levels  of  detail,  such  as  seasonal  or  quarterly 
sales  variations  or  sell-through  figures  in  time 
slots  as  small  as  half  an  hour? 


Q9  How  informed  are  your  customer  service 
•  representatives?  Do  they  have  access  to  a 
view  of  all  historical  interactions  between  your 
company  and  the  customer  on  the  phone?  Are 
they  equipped  to  respond  rapidly  to  customer 
needs  and  resolve  issues  in  real  time? 

#  Do  queries  sometimes  affect  the  perform- 
•  ance  of  the  production  systems  that  drive 
your  business? 

#  In  the  last  year,  how  many  times  have  your 
•  employees  been  affected  by  planned  system 
downtime  (software  or  hardware  upgrades  and 
other  scheduled  maintenance)? 

#  How  many  times  in  the  last  year  have  your 
•  web  site  or  email  systems  been  affected  by 
system  downtime,  whether  planned  or 
unplanned? 

LiveBusiness ™  Helps  Companies  Compete  in  the  "Now" 
Economy,  Executive  Overview  by  Nigel  Stokes, 

CEO,  DataMirror 


12  STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


Universal  Connectivity  Through  Common  Hub  Increases 
Efficiency,  Reduces  Costs  and  Improves  Safety 


RxHub  LLC,  based  in  St.  Paul,  Minnesota,  is  an  innova¬ 
tive  technology  company  connecting  the  health  care 
industry  via  shared  prescription  and  benefit  informa¬ 
tion.  Recognizing  that  universal  connectivity  through  a 
common  hub  would  increase  efficiency,  reduce  costs 
and  improve  patient  safety,  RxHub's  vision  was  to  cre¬ 
ate  a  nationwide  electronic  informa¬ 
tion  exchange  to  share  prescription 
and  pharmacy  information. 

And  that's  exactly  what  RxHub 
achieved  using  Initiate  Systems'  solution.  Initiate 
enables  customer-focused  business  strategies  by  pro¬ 
viding  trusted  customer  data  on  demand.  Initiate's 
solution  improves  the  integrity  of  the  data  in  each 
source,  virtually  integrates  data  across  disparate 
sources  and  makes  complete,  accurate,  up-to-the- 
moment  data  available  to  people  and  systems  across  an 
enterprise— and  even  across  organizational  lines. 

ON-DEMAND  TECHNOLOGY 

RxHub  leverages  the  Initiate  Identity  Hub™  software  to 
foster  significant  new  levels  of  affordability  and  patient 
safety  for  approximately  250  million  individuals.  RxHub 
links  doctors,  pharmacists  and  leading  pre¬ 
scription  benefit  managers  via  the  Internet.  At 
peak  times,  Initiate's  on-demand  technology 
handles  300  secure  transactions  per  second. 

"Initiate  Identity  Hub  software  is  the  cor¬ 


nerstone  of  the  transaction  switching  capabilities  we've 
created  at  RxHub.  The  ability  to  quickly  and  accurately 
match  patients  is  the  basis  for  the  rest  of  the  transac¬ 
tions  we  support,  including  formulary  access,  medica¬ 
tion  history,  and  generation  of  new  prescriptions  and 
renewals,"  says  J.P.  Little,  RxHub's  CIO. 

What's  more,  he  adds,  RxHub  can 
now  update  the  Master  Person  Index 
(MPI),  the  medical  community's 
equivalent  of  customer  data  on  the 
fly,  with  no  downtime,  for  millions  of  records  daiLy— "crit¬ 
ical  for  supporting  the  service  levels  that  participants 
in  the  RxHub  network  expect." 

QUANTIFIABLE  MEASURES  OF  SUCCESS 

At  startup,  Initiate  loaded  and  cross-referenced  nearly  100 
million  records  in  approximately  two  hours.  Now,  with 
250  million  lives  at  stake.  Initiate  typically  finds  matches 
in  250  milliseconds,  or  a  quarter  of  a  second  per  record. 

This  enables  RxHub  to  provide  secure  access  to  pre¬ 
scription  benefit  information  in  less  than  four  seconds 
from  the  initial  request  until  a  physician  or  certified 
staff  member  receives  the  complete  information.  During 
open  enrollment  periods,  RxHub  processes  as 
many  as  3  million  records  per  prescription  bene¬ 
fit  manager  in  about  an  hour. 

For  more  information  visit 
www.initiatesystems.com 


Initiate* 


W 

RXHUB” 

Where  the  Prescribing  Industry  Connects 


Nordisk  has  realized  60  percent  cost  savings  by  using 
the  Ascential  Enterprise  Integration  Suite11"  to  easily 
integrate  critical  non-SAP  data.  And  development 
time  has  been  reduced  by  66  percent  because 
Ascential  DataStage™ — a  core  component  of  the 
Ascential  Enterprise  Integration  Suite — eliminates 
the  need  for  customized  tools. 

Henkel  Consumer  Adhesives— Doing  more  with 
the  same  IT  staff.  By  providing  Henkel  Consumer 
Adhesives  with  a  complete  view  of  its  business 
across  several  otherwise  incompatible  data  environ¬ 
ments,  the  Ascential  Enterprise  Integration  Suite 
enables  the  firm  to  save  substantially  in  annual  dis¬ 


tribution  costs.  Ascential  DataStage  enhanced  sales 
information  has  also  led  to  the  capture  of  even  more 
revenue  per  year  using  more  highly  targeted  market¬ 
ing  campaigns  and  to  an  ability  to  confidently 
decide  which  product  lines  to  continue  or  discon¬ 
tinue  distributing. 

Henkel  Consumer  Adhesives  estimates  that  the 
Ascential  data  integration  solution  is  10  times  more 
efficient  than  previous  methods.  The  firm’s  data  ware¬ 
house  designer  has  said  that  Ascential’s  solution 
enabled  the  company  to  double  in  size  and  handle  a 
significant  increase  in  data  management  without 
adding  IT  staff.  SD 


STRATEGIC  DIRECTIONS  13 


ADVERTISING 


SUPPLEMENT 


a  brave  new  world 

A  Brave 

New  World 

WEB  SERVICES,  SOA  AND  EVENT-DRIVEN  ARCHITECTURE 


The  complex,  even  chaotic  state  of 

many  corporate  information  technol¬ 
ogy  environments  is  approaching  cri¬ 
sis,  exacerbated  by  unrelenting 
competitive  pressure  to  do  more, 
faster,  with  fewer  resources. 

Small  wonder  that  new  ideas  about  software  archi¬ 
tectures  have  begun  to  take  hold  in  a  big  way.  The 
old  way  to  develop  applications — ‘build  it  and  the 
integration  will  come’ — clearly  needs  to  give  way  to 
a  world  of  service-oriented,  built-to-be-integrated 
applications  that  expose  key  functionality  via  com¬ 
monly  defined  interfaces  and  can  be  implemented  as 
service  interfaces  in  which  one  application  invokes 
another  as  a  service. 

A  new  type  of  middleware  based  on  XML  and  a 
few  other  standard  protocols,  web  services  piggyback 
on  Internet  protocols  and  infrastructure  to  over¬ 
come  crucial  limitations  of  traditional  middleware, 
including: 

•  Inability  to  work  via  the  Internet 
•  Lack  of  support  for  heterogeneity 


•  Resource-intensiveness 

•  Difficulty  of  use 

•  Fragility 

For  example,  after  replacing  100,000  applications 
with  6,000  web  services,  the  U.S.  Navy  has  reported  a 
number  of  significant  benefits: 

•  By  making  a  single  operation-planning  applica¬ 
tion  into  a  web  service,  $8  million  per  year  is  being 
saved  because  of  lower  management  costs. 

•  New  applications  now  take  months  rather  than 
years  to  develop. 

•  Strategic  processes  such  as  mission  planning  have 
been  improved  thanks  to  web  services  that  aggre¬ 
gate  and  centralize  weather  reports. 

Web  services  utilize  a  new  software  design  idea 
called  service-oriented  architecture  (SOA),  which 
undoes  application  integration  to  enable  business 
integration — and  deliver  it  using  the  Internet. 

Its  benefits  include: 

•  Loose  coupling.  Unlike  tightly  coupled  tradi¬ 
tional  applications,  loosely  coupled  web  service 
applications  are  designed  with  few  connections 


Q  &  A:  JOHN  HUMMEL,  SUTTER  HEALTH,  ON  INTEGRATION  CHALLENGES 


WITH  A  CHAIN  OF  27  HOSPITALS  and 
18  clinics  producing  annual 
revenues  of  $5.5  billion,  Sutter  Health 
is  one  of  the  nation’s  leading  not-for- 
profit  networks  of  hospitals,  doctors, 
nurses  and  other  healthcare  services. 
Sutter  Health  CIO  John  Hummel,  who 
has  overseen  the  development  of  a 
portal  strategy  that  relies  on  Initiate 
Systems’  products,  talks  here  about 
the  issues  and  opportunities  of  inte¬ 


grating  in  an  unwieldy  industry. 

Q#  How  do  you  hook  up  5,000 
•  doctors,  27  hospitals,  18  clinics 
and  20  other  assorted  healthcare 
providers?  How  do  you  deal  with  the 
auxiliary  issues,  like  the  political 
(who  owns  the  data),  HIPAA  (who 
can  see  the  data)  and  medical  licen¬ 
sure  (who  can  use  the  data)? 

A#  If  I  can  get  my  MDs  to  use 
•  Microsoft’s  .NET — 95  per¬ 


cent  of  them  are  on  PCs  using 
Microsoft  products — I  can  lever¬ 
age  all  our  systems  in  virtual  data¬ 
bases  and  streamline  data 
acquisition  through  a  combination 
of  service-oriented  architecture 
(SOA)  and  event-driven  architec¬ 
ture  (EDA). 

We  could  hook  up  everyone  in  the 
healthcare  family  through  a  zero- 
latency  distributed  system  running 


14  STRATEGIC  DIRECTIONS 


ADVERTISING 


SUPPLEMENT 


\ 


and  dependencies  among  their  elements.  So  any 
given  web  service  can  work  independently  of  the 
other  services  that  comprise  an  application. 

And  applications  are  easier  to  modify  and  update 
because  only  a  few  elements — that  is,  services — 
require  attention. 

•  Easy  to  integrate  and  access.  Since  they’re  written 
to  publicly  available  standards  and  exploit  univer¬ 
sally  deployed  Internet  protocols,  web  services  are 
essentially  interchangeable,  potentially  enabling 
integration  wherever  applications  are  designed  or 
adapted  to  use  them.  And  because  web  services  stan¬ 
dards  establish  the  format,  developers  can  spend 
their  time  creating  better  business  logic  rather  than 
worrying  about  web  services  infrastructure. 

•  Webifies  service-oriented  architecture— and  the 


•  Service  reusability  isn’t  always  straightforward, 
especially  between  disparate  development  teams 
and  plenty  of  application-specific  services  cannot 
be  reused. 

•  Semantic  differences  between  applications  don’t 
get  solved  by  SOAs. 


TIGHTLY  BOUND  VERSUS 
LOOSELY  COUPLED  INTERFACES 

Tightly  bound  RPC  interfaces: 

•  Map  application  functions  to  web  service  interfaces 
via  WSDL 

•  Invoke  the  application  using  SOAP  calls 


legacy.  Business  processes  that  make  up  a  service- 
oriented  application  have  been  dis-integrated  into 
independent  components  (services)  that  are  easily 
distributed.  These  services  interoperate  across 
machines  and  business  processes — including 
legacy  environments — to  complete  the  solution 
they  provide. 

Thus,  chunks  of  data  and  processes  from  spread¬ 
sheets,  word  processing  documents,  e-mail,  instant 
messaging,  calendars,  ERP  and  CRM  systems,  pro¬ 
duction  systems  and  so  on  can  be  cohesively  but 
flexibly  interlinked  to  streamline  processes  and  activ¬ 
ities  across  the  previously  impassable  boundaries  of 
technology,  corporate  culture  and  habit. 

Although  the  promise  is  huge,  service-oriented  archi¬ 
tecture  does  have  some  limitations: 

•  Underdeveloped  standards  mean  that  developers 
are  stuck  with  lowest-common-denominator 
standard  middleware,  proprietary  schemes  or 
clunky  gateways. 


Loosely  coupled  event-driven  interfaces: 

•  Use  messaging  to  communicate  among  several  peer 
applications — each  application  responds  to  incoming 
asynchronous  messages  that  represent  business  data 
and/or  business  events. 

•  Result  in  more  independent  applications — each  one 
parses  incoming  messages  and  reacts  to  their  contents,  so 
the  only  contact  between  applications  is  a  shared  message 
format. 

•  Isolate  business  logic  from  overall  interapplication  event 
flow,  making  it  easy  to  change. 


What  an  Enterprise  Service 
Bus  Can  Do 

Traditional,  tightly  bound,  distributed  application 
environments  are  so  complex  that  they’re  tough  to 
monitor  and  troubleshoot.  They’re  also  populated 
with  many  kinds  of  middleware  and  integration  mech¬ 
anisms — remote  procedure  calls,  message-oriented 


on  a  virtual  private  network  .  This 

works.  We’re  also  getting  our  first 

Point  products  (for  web  and  por- 

could  give  all  caregivers  the  tools 

pilot  projects  up  with  a  few 

tal  applications),  to  build  enter- 

they  need  to  treat  the  patient  with 

selected  vendors,  and  are  figuring 

prise  integration. 

all  the  needed  information. 

out  how  to  best  introduce  and  uti- 

The  power  of  this  to  our  industry 

9  How  close  are  you  to  making 

lize  the  .NET  system  to  achieve 

is  enormous.  Regardless  of  the  appli- 

•  this  real? 

our  doctor  and  patient  portals. 

cation  vendor  our  physicians  or 

it  I  think  we’re  in  the  process 

So  we’re  now  strategically  link- 

nurses  may  be  using,  the  data  con- 

•  of  really  setting  these  direc- 

ing  our  vendors,  thanks  to  their 

nectivity  will  provide  both  increased 

tions  and  strategies.  In  the  next 

ability  to  run  on  .NET.  This  allows 

patient  safety  as  well  as  cost  savings. 

few  weeks,  we’ll  be  installing  our 

us  to  use  .NET  and  Biztalk,  along 

*  Asynchronous  transfer  mode/multi- 

first  ATM/MPLS*  wide  area  net- 

with  Microsoft’s  Share  and  Info 

protocol  label  switching 

STRATEGIC  DIRECTIONS  15 


ADVERTISING  SUPPLEMENT 


The  U.S.  Navy  has  replaced  100,000  applications 
with  6,000  web  services,  saving  millions. 


middleware,  object  request  brokers  and  web  services. 

Using  XML,  the  standard  at  the  heart  of  web  services, 
helps.  It’s  universally  understood,  hides  implementa¬ 
tion  details,  employs  a  common  communications 
protocol  and  interface  definition,  makes  files 
self-describing  and  furnishes  fixed  formats. 

But  there  are  things  XML  doesn't  do:  it  doesn’t 
escape  the  tight  binding  of  the  client/server  model; 
integration  logic  remains  inflexible  because  it’s 
embedded  in  the  applications;  and  the  integration 
itself  is  still  point-to-point. 

As  a  result,  some  organizations  are  turning  to 
enterprise  service  buses  (ESBs),  integration  environ¬ 
ments  that  implement  a  loosely  coupled  service- 
oriented  architecture.  ESBs  deal  with  applications  as 
event-driven  services  and  support  orchestration, 
messaging,  routing,  legacy  applications,  application 
servers  and  middleware. 

“Web  services  have  proven  to  be  a  viable  option  for 
lowering  integration  costs,  as  has  the  application 
platform  approach  provided  by  such  vendors  as 
BEA,  IBM,  Oracle  and  Microsoft,”  says  Nucleus 
Research  analyst  Kathy  Quirk.  “With  the  mix  of 
products  now  available,  organizations  have  greater 
possibilities  for  selecting  products  that  provide  the 
best  ROI  for  their  integration  needs.” 

Some  products,  like  InterSystems  Corp.’s  Ensemble 
rapid  integration  platform,  bridge  event-driven  and 
service-oriented  architectures,  since  they  support  the 
event-driven  solutions  needed  in  long-running  busi¬ 
ness  processes  as  well  as  service-oriented  request- 
reply  solutions. 

Ensemble  unifies  architecture,  development,  man¬ 
agement  and  storage  across  four  tiers  of  enterprise 
business  management:  the  data  management  server, 
the  integration  server,  the  application  server  and  the 
portal  server.  It  can  be  used  to: 

•  Build  adapters 

•  Transform  data 

•  Handle  rule-based  routing 

•  Graphically  model  business  processes 

•  Develop  composite  applications 

•  Develop  dashboard-based  business  activity 

monitoring 

The  result?  “A  single  comprehensive  platform  for 
rapidly  building  and  deploying  new  business  fusion 
solutions,”  says  Trevor  Matz,  InterSystems  managing 


director  for  application  integration.  This  platform, 
he  notes,  leverages  the  functionality  of  existing 
applications,  orchestrates  previously  autonomous 
business  and  operational  processes,  and  integrates 
information  from  across  the  enterprise. 

The  ROI  of  Web 
Services 

Among  the  key  benefits  you  can 
expect  from  web  services: 

Improve  IT  productivity 

Development  teams  can  do  more  in  less  time,  thanks 
to  graphical  tools,  a  reduced  need  to  custom  code  and 
architectures  that  promote  reuse.  “To  keep  costs 
down,  squeeze  more  efficiency  from  existing  systems 
and  stay  on  par  with  competitors,  it  makes  good  busi¬ 
ness  sense  to  implement  real-time  technology  that 
supports  a  wide  range  of  systems,  thereby  allowing 
existing  technology  assets  to  be  leveraged,”  says  Nigel 
Stokes,  CEO  and  president  of  DataMirror  Corp. 
Improve  business  productivity 
American  Fidelity  Assurance  Co.  uses  Software  AG 
products  to  run  a  data-integrating,  self-service  portal 
used  by  thousands  of  customers,  brokers  and 
account  managers.  “Why  not  push  the  work  to  a  cus¬ 
tomer  who  is  more  than  happy  to  do  it  for  you?”  sug¬ 
gests  Jim  Lupton,  vice  president  of  information 
systems  at  the  company. 

Reduce  total  cost  of  ownership 
Simpler  infrastructure  is  cheaper  infrastructure, 
thanks  to  the  use  of  standards  rather  than  cus¬ 
tomized  integration  links,  fewer  license  agreements 
to  be  maintained  and  so  on.  “Flexible  multiplatform 
solutions,”  says  Stokes,  “help  breathe  new  life  into 
legacy  and  operational  systems  and  reduce  the  total 
cost  of  ownership.” 

Lower  training  costs 

“Easier-to-use  tools  and  platform  extensions  lower 
the  learning  curve  because  developers  can  work 
within  a  familiar  environment  and  extend  their  skills 
to  build  integration  applications,”  says  Nucleus 
Research  analyst  Kathy  Quirk. 

And,  of  course,  proper  planning  has  a  huge  impact 


16  STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


New  Data  Warehouse  Slims  Jenny  Craig 
Expenses  By  $1  million 


STUDY 


Using  software  from  Ascential  Software 
Corporation,  weight  management  advi¬ 
sor  Jenny  Craig,  Inc.  built  a  new  data 
warehouse  that  synthesizes  client  and  transaction 
information  from  approximately  650  Jenny  Craig 
Centres  around  the  world,  giving  the  company  a 
360-degree  view  of  each  of  its  clients.  Armed  with 
this  comprehensive  view,  Jenny  Craig  has  brought 
its  outsourced  direct  marketing  programs  in 
house— saving  the  company  an  estimated  $1  mil¬ 
lion  in  outsourcing  and  IT  development  costs  in 
just  one  year. 

According  to  Jenny  Craig,  the  company  began  the 
project  to  address  three  specific  problems:  a  lack  of 
information  about  its  customer  base;  the  high  cost  of 
outsourced  marketing  campaigns;  and  a  lack  of  real¬ 
time  access  to  its  own  marketing  campaign  results, 
which  prevented  the  company  from  doing  the  kinds 
of  analytics  and  segmentation  that  it  needed  for 
effective  campaigns. 

The  company's  new  data  warehouse  allows  all 
employees  to  communicate— using  consistent  infor¬ 
mation— with  Jenny  Craig  customers  and  Centres.  By 
taking  charge  of  its  customer  data,  Jenny  Craig  was 
able  to  shed  the  vendor  to  whom  it  was  paying  more 
than  $750,000  per  month,  along  with  all  the  redun¬ 
dant  data  and  multiple  disparate  databases. 


INTEGRATED  SOLUTION  SPANS  FULL  DATA  LIFE  CYCLE 
The  Ascential  Enterprise  Integration  Suite  is  the  only 
integrated  solution  that  spans  the  full  data  life  cycle 
and  the  only  enterprise  data  integration  vendor  that 
approaches  data  profiling,  quality  and  transformation 
as  closely  connected,  interdependent  operations. 

Installing  the  Ascential  Enterprise  Integration 
Suite  enabled  Jenny  Craig  to  lay  the  foundation 
needed  to  extract  data  from  multiple  data  sources, 
clean  the  data  and  upload  the  cleansed,  non-dupli- 
cated  data  into  a  central  location.  The  project  cost 
$500,000  and  will  take  only  six  months  to  pay  for 
itself.  The  company  will  also  create  its  own  market¬ 
ing  campaigns,  conduct  its  own  analysis  and  main¬ 
tain  its  own  database,  contributing  to  the  $1  million 
in  savings. 

Because  of  the  Suite's  efficiency,  the  weight  man¬ 
agement  firm  reassigned  one-third  of  its  IS  staff  and 
flattened  its  hierarchy,  giving  everyone  in  the 
department  a  chance  to  spread  their  wings,  to  take 
some  responsibility  for  important  projects  and 
improve  their  day-to-day  work  experiences. 

For  more  information  on  how  Ascential  Software 
Corporation  can  integrate  your  company,  visit 
www.ascential.com 


Ascential 


Software 


on  ROI.  “Only  organizations  that  have  a  clear  busi¬ 
ness  need  and  a  definite  roadmap  for  exploiting  inte¬ 
gration  software  will  achieve  efficiencies  and  cost 
savings,”  Quirk  notes. 

Integration  Best 
Practices  to 
Remember 

“While  the  importance  of  integration  to  creating 
an  ‘on  demand’  business  presence  cannot  be  over¬ 
stated,  it  will  not  be  easy  to  achieve,”  says  Steve 
Garone,  chief  analyst  and  managing  partner  at  The 
AlignIT  Group.  Some  advice  from  the  trenches: 

Align  IT  with  the  business.  Begin  strategically  by 


aligning  your  deployment  of  web  services  with  the 
needs  of  your  business.  You  might  want  to  make 
this  part  of  a  larger  effort  to  map  your  IT  infra¬ 
structure  and  capabilities  to  your  organization’s 
goals  and  needs. 

Design  a  service-oriented  architecture  for  your 
organization.  Don’t  deploy  web  services  without 
first  developing  a  service-oriented  architecture  that’s 
been  aligned  with  business  requirements.  (One  go- 
more-slowly  possibility:  adopt  a  transition  architec¬ 
ture  that  introduces  the  concept  of  service 
orientation  but  not  the  technologies.) 

Don't  give  up  on  the  legacy-but  know  when  to 
fold.  It’s  common  sense  to  look  for  ways  to  reuse 
legacy  logic  and  systems  before  scrapping  them. 
Services  added  on  to  legacy  environments  cost  less, 
especially  when  using  development  tools  that  sup¬ 
port  the  creation  of  web  services. 


STRATEGIC  DIRECTIONS  17 


ADVERTISING 


SUPPLEMENT 


“Use  the  business  and  security  rules  built  into  the 
systems  as  they  exist  today,”  advises  Jim  Lupton  of 
American  Fidelity  Assurance  Co.  “Don’t  duplicate 
rules  in  the  new  environment.” 

But  the  functional  capabilities  of  legacy  systems 
are  limited.  These  limits  define  the  point  beyond 
which  integrating  them  isn’t  worth  it. 

Pick  your  targets  carefully. 

Incorporate  web  services  only  where  you 
believe  they  will  add  value,  such  as 
automating  the  manual  processes  hid¬ 
den  in  distributed  activities  like  cus¬ 
tomer  support  or  field  sales.  Get 
line-of-business  managers  to  help  you 
both  identify  where  web  services  can 
make  a  difference  and  pick  pilot  projects.  Likely  best 
bets:  core  applications  running  in  stable  legacy  envi¬ 
ronments,  applications  that  are  costly  to  integrate 
and  manage,  well-defined  trading  partner  applica¬ 
tions,  and  applications  that  require  special  skills  to 
develop  or  use  or  need  special  hardware  or  adapters 
to  interoperate. 

Do  your  homework.  Make  sure  you  have  a  thor¬ 
ough  knowledge  of  the  business  model  for  which  the 
service  is  being  designed  as  well  as  the  technologies 
the  service  uses.  Do  multiple  pilots  and  anticipate 
that  some  will  fail.  One  starting  point:  wrap  SOAP 
and  WSDL  around  existing  interfaces  to  attain  one¬ 
way,  point-to-point  integration  that  apes  traditional 
data-centric  APIs. 

Don't  forget  ROI.  Nothing  provides  proof-of- 
concept  like  solid  evidence  of  positive  return  on 
investment.  That  means  measuring  performance 
before  as  well  as  after  web  services  are  implemented. 

Stick  to  the  standards.  “I’m  still  a  big  fan  of  XML 
and  the  promised  standards,”  says  Lupton.  “As  more 
and  more  companies  implement  them,  the  need  to 
care  about  whose  data  is  the  most  critical  and  who 
will  have  to  convert  should  be  eliminated.” 

Plan  to  implement  and  migrate  in  increments. 
Doing  web  services  in  increments  gives  you  the  abil¬ 
ity  keep  things  simple  and  on  budget — and  to  gener¬ 
ate  the  incremental  ROI  that  will  keep  support  for 
web  services  development  high. 


Because  web  services  are  loosely  coupled,  they  can 
be  phased  in  incrementally  at  different  levels,  and 
your  staff  can  learn  about  them  as  they  go.  Don’t  let 
your  web  services  project  momentum  get  ahead  of 
your  organization’s  knowledge  curve. 

Some  organizations  are  implementing  web  services 
in  successively  more  mature  stages.  They  begin  with 
read-only,  data-centric  services  that  imitate 
existing  APIs,  move  on  to  two-way  transac¬ 
tional  services  that  can  leverage  emerging 
standards  and  products  and  finally  field 
document-oriented,  asynchronous  services 
addressing  sophisticated  business  processes. 

Choose  your  weapons.  You’ll  need  to 
decide  on  a  core  services  platform.  Many 
use  as  a  foundation  the  work  they’ve  done  on 
Windows  and  J2EE  servers.  Or  you  can  turn  to  enter¬ 
prise  software  platforms,  which  are  being  adapted  to 
deliver  web  services,  or  newer  service-  and/or  event- 
oriented  integration  platforms. 

Design  for  the  future.  This  means  you’ll  want  your 
web  services  efforts  to  be  fully  scalable.  Among  the 
issues  to  keep  in  mind  are: 

•  IT  infrastructure  integration.  Use  web  services 
standards  across  your  entire  enterprise;  use  nam¬ 
ing  conventions  to  label  your  infrastructure.  Build 
shared  infrastructure  services  to  ensure  security, 
reliability  and  manageability  (candidates  include: 
data  transformation  and  logging  applications). 

•  Web  services  that  are  integration-agnostic.  The 
more  kinds  of  integration  you  can  support,  the 
better.  After  all,  your  organization  needs: 

•  Interface  integration,  to  deliver  a  single,  inter¬ 
active  user  experience 

•  Data  integration,  to  federate  data  and  trans¬ 
port  enterprise  information 

•  Application  integration,  to  bring  true  inter¬ 
operability  to  infrastructure  architecture 

•  Process  integration,  to  orchestrate  applica¬ 
tions  and  services 

•  Process-centric  web  services.  Before  selection  of 
data  types  or  APIs,  each  web  service  should  be 
designed  as  a  discrete  task  with  business  process 
inputs  and  outputs. 


"With  the  mix  of  products  now  available,  organiza¬ 
tions  have  greater  possibilities  for  selecting  products 
that  provide  the  best  ROI  for  their  integration  needs." 


—Kathy  Quirk,  analyst.  Nucleus  Research 


18  SIRATE6IC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


Harbor  Federal  Savings  Bank  Enhances 
Secure,  Scalable  Banking  Services 


STUDY 


With  $2.4  billion  in  assets  and  34  full 
service  banking  branches,  Harbor  Federal 
Savings  Bank  (Nasdaq:  HARB)  is  one  of 
the  largest  independent  financial  institutions  in 
Florida.  It  also  has  the  distinction  of  being  rated  the 
number  one  safest  bank  in  the  state. 

As  a  longtime  Attachmate  customer  utilizing  a 
Unisys  ClearPath  NX  host,  Harbor  Federal  knows  the 
importance  of  working  with  a  vendor  with  expertise 
in  both  host  access  and  Unisys  legacy  systems. 

INTERNET-SAVVY  CUSTOMERS  REQUIRE 
ONLINE  ACCESS 

Early  on,  the  bank  recognized  the  benefits  of  using 
the  Internet  to  provide  customer  service,  says 
Annetta  Smith,  IT  director  for  Harbor  Federal  and 
asked  Attachmate  consultants  to  codevelop  an  appli¬ 
cation  to  get  the  bank  "where  we  needed  to  be." 

Using  Attachmate  SDK  technology.  Harbor 
Federal's  Internet  banking  services  rolled  out  in 
1999,  offering  customers  retail  banking  via  the 
Internet  (account  information  and  transfer  of 
funds).  Online  banking  proved  so  popular  with  cus¬ 
tomers  that  the  bank  has  continued  to  add  more 
features,  such  as  external  funds  transfers. 

Recently,  it  has  rolled  out  a  check-viewing  fea¬ 
ture.  Attachmate  worked  with  Image  Soft  to  repro¬ 
duce  check  images  and  create  the  onscreen  presen¬ 
tation.  Nearly  100  customers  a  week  are  signing  up 
for  the  option. 

Currently,  Harbor  Federal  has  about  24,000  com¬ 
mercial  and  retail  customers  using  online  services, 
with  10,000  transfers  a  month.  Thirty  percent  of 
the  bank's  accounts  are  online  and  about  $2  mil¬ 
lion  per  month  is  moved  via  the  web.  With  increas¬ 
ing  levels  of  activity,  it  continually  enhances 
online  services,  which  it  treats  as  its  highest- 
volume-transaction  "branch." 

SMART  CONNECTORS  TAKE  ONLINE  SERVICES 
TO  THE  NEXT  LEVEL 

The  first  bank  in  its  area  to  offer  secure  bank-to- 


bank  transfers.  Harbor  Federal  is  adding  more  fea¬ 
tures  and  functionality  by  migrating  to  Attachmate 
myEXTRA!  Smart  Connector  technology. 

Smart  Connectors  allows  the  bank  to  automate 
processes  from  the  front-end  user  interface  by  mak¬ 
ing  the  link  to  the  back-end  host  functions  necessary 
to  complete  the  transactions.  Processes  previously 
done  manually,  like  stop  payments,  will  be  automat¬ 
ed.  Customers  will  be  able  to  transfer  funds  to  other 
banks  with  preverified  forms. 

"Information  will  be  auto-populated,  so  there  is  no 
need  to  type  in  data.  Customers  simply  pick  and 
choose  options,"  adds  Smith.  New  commercial  func¬ 
tionality  will  include  check  verification,  wire  transfer 
and  ACH  origination  via  the  Web. 

"This  is  just  amazing,"  says  Smith.  "Smart 
Connectors  allows  us  to  go  in  different  areas, 
improve  efficiency  and  gives  us  more  management 
capabilities,  plus  it's  a  lot  easier.  And  we  don't 
have  to  disturb  our  current  online  system  while  we 
implement  the  new  technology.  Customers  will  still 
enjoy  the  simplicity  of  the  interface,  without  dis¬ 
ruption  of  service." 

ATTACHMATE  SOLUTION  SIMPLIFIED  IT  TASKS 

Harbor  Federal  wanted  easy  maintenance  and  the 
flexibility  of  integrating  data  from  multiple 
sources,  accessing  various  types  of  database 
engines. 

"We  looked  at  other  vendors  with  good  database 
applications,  but  where  those  vendors  were  required 
to  talk  to  the  mainframe,  there  was  a  breakdown.  We 
selected  Attachmate  because  of  its  expertise  in  host 
access  and  especially  its  Unisys  knowledge,"  says 
Smith.  "I  met  with  Attachmate  and  said  'I  think  we 
can  make  this  work,'  and  we  did." 

For  more  information  on  how  Attachmate  can  help 
you,  visit  www.attachmate.com 


attachmate 


STRATEGIC  DIRECTIONS  19 


ADVERTISING  SUPPLEMENT 


•  Migration  path  awareness.  Web  services  should 
be  designed  to  accommodate  anticipated  migra¬ 
tion  paths. 

•  Development  using  a  standard  component 
framework.  This  promotes  reuse  of  modules  and 
systems,  enabling  you  to  migrate  legacy  assets  to 
web  services  as  need  and  opportunity  demands. 

•  Adaptability  to  new  IT  models.  Notably,  CIOs 
should  consider  on-demand  computing,  portal- 
based  clients  and  grid  computing. 

•  Expect  to  make  changes  you  don't  expect. 
Surviving  and  thriving  depends  on  one’s  ability  to 
adapt  to  evolving  circumstances.  Pragmatism  rules. 

What  is 

Service-Oriented 

Architecture? 

SOA  is  a  software  design  principle  that  promises  to: 

•  Incrementally  develop  and  deploy  business  software 

•  Reuse  business  components  in  multiple  channels 
and  environments 

•  Assemble  new  business  processes  at  low  cost 

•  Bring  clarity  to  application  topology 

How  it  works:  A  description  language  defines  all 
functions  as  services  that  have  invokable,  platform- 
independent  interfaces  that  perform  business 
processes  when  called.  All  services: 

•  Are  based  on  a  platform-independent  interface 
contract,  so  clients  from  anywhere,  in  any  oper¬ 
ating  environment,  using  any  language,  can  use 
the  service 

•  Can  be  dynamically  located  and  invoked 

•  Are  self-contained,  so  each  service  maintains  its 
own  state 

Web  services  are  one  way  to  implement  an  SOA,  pro¬ 
viding  a  kind  of  service-oriented  architecture  in  which 
network-accessible  software  functions  (application 
services)  are  made  accessible  using  platform-independ¬ 
ent  web  standards.  These  standards  define  protocols  for 
communications  and  interfacing  that  can  be  provided 


via  a  server  or  invoked  from  any  application  client.  Key 
web  services  protocols  include  XML  (extensible 
Markup  Language),  SOAP  (Simple  Object  Access 
Protocol),  WSDL  (Web  Services  Description  Language) 
and  UDDI  (Universal  Description,  Discovery  and 
Integration),  which  work  as  follows: 

XML  tags  the  data. 

XML  enforces  document  rules  using  a  standard  alpha¬ 
bet,  punctuation  and  words  to  encode  messages  and 
describe  interfaces,  so  developers  can  create  customized 
tags  that  define,  transmit,  validate  and  interpret  data 
between  applications  and  organizations. 

SOAP  transfers  the  data. 

SOAP  describes  the  content  of  a  message  and  how  to 
process  it — called  the  SOAP  envelope — and  provides 
a  binding  framework  for  exchanging  SOAP 
envelopes,  including  an  ability  to  represent  applica¬ 
tion-defined  data  types  and  remote  procedure  calls 
and  responses. 

WSDL  describes  available  services. 

WSDL  is  an  XML  format  that  defines  network  serv¬ 
ices  by  abstractly  describing  messages  and  operations 
and  then  binding  them  to  specific  network  protocols 
and  message  formats  to  define  an  endpoint.  Such 
abstraction  makes  WSDL  a  very  flexible  way  to 
describe  complex  web  services  applications. 

UDDI  lists  available  services. 

UDDI  is  a  set  of  protocols  and  a  public  directory 
of  a  network’s  registered  web  services  that  can  be 
accessed  in  real  time,  enabling  the  hosting  of  mul¬ 
tiple  versions  of  a  service,  management  of  services 
access  and  creating  aliases  to  services. 

Web  services  can  be  used — and  importantly, 
reused — in  any  type  of  network  environment  with¬ 
out  the  user  needing  to  know  implementation 
details,  so  web  services  support  a  wide  range  of  data 
interactions,  including  business-to-business  and 
peer-to-peer.  In  effect,  an  enterprise’s  IT  functional¬ 
ity  is  made  available  on  the  (public)  network  as  a 
collection  of  discoverable  services.  SD 


"While  the  importance  of  integration  to  creating  an 
'on  demand'  business  presence  cannot  be  overstated, 

it  will  not  be  easy  to  achieve." 

—Steve  Garone,  chief  analyst  and  managing  partner  at  the  AlignIT  Group 


20  STRATEGIC  DIRECIIONS 


ADVERTISING  SUPPLEMENT 


the  tools  of  the  tra 


Integration^ rQQp 


BEGIN  WITH  THE  DATA 


In  2002,  about  five  exabytes  (one  exabyte  = 
1018  bytes)  of  information  were  generated 
in  print,  film  and  magnetic  and  optical 
storage,  according  to  a  study  by  the 
University  of  California-Berkeley.  That’s 
roughly  800  megabytes  of  recorded  information  per 
year  for  every  human  being  on  the  planet. 

Such  massive  amounts  of  data  are  intensifying  the 
strain  on  corporate  information  systems  already 


struggling  with  serious  data  quality  problems — 
problems  that  cost  U.S.  businesses  about  $600  mil¬ 
lion  in  2002,  according  to  estimates  from  The  Data 
Warehousing  Institute.  Data  quality  issues  are  trig¬ 
gering  failure  in  more  than  50  percent  of  CRM  ini¬ 
tiatives,  say  analysts  at  Gartner. 

Arguably,  then,  IT  integration  starts  with  the  data. 
Businesses  that  don’t  integrate  their  data  can’t  expect 
to  do  more  than  behave  as  a  collection  of  noncollab- 


THE  FOUR-STEP  APPROACH  TO  ATTAINING  GREAT  DATA 


Proper  integration  means  making 

data  quality  a  top  priority.  CIOs 

can  improve  data  quality  by  taking 

these  key  steps: 

1  ENSURE  DATA  CONSISTENCY 

•  Profile  all  of  your  source  systems 

(using  reconnaissance  software)  in 
terms  of  data  content,  data  depend¬ 
encies  and  data  quality. 

•  Establish  enterprise-wide  data 
definitions  and  metadata  and 

possibly  rules  and  processes  for 
data  capture. 

•  Centrally  store  master  data  dic¬ 
tionary,  enterprise  metadata  and 
related  information  about  processes 
so  it’s  universally  available. 

•  Standardize  the  data  your  enter¬ 
prise  depends  on  to  do  business 
(for  example,  product/service  infor¬ 
mation,  customer  names). 

•  Match  records  across  data  sources 
to  resolve  any  conflicts  or  redun¬ 
dancies  between  sources  (and  the 
business  processes  they  support). 

•  Apply  uniform  rules,  procedures 
and  processes  to  new  real-time 
data  as  well  as  batch  data  cleansing. 


•  Automate  data  integration  chores 

that  are  manually  tedious  and 
resource-intensive,  such  as  data 
extraction,  repurposing,  transfor¬ 
mation  and  loading  so  these 
processes  are  reliably  repeatable  and 
can  be  adapted  easily  to  changing 
business  conditions. 

•  Deploy  information  lifecycle  man¬ 
agement  tools  to  help  maintain 
data  value  and  integrity  over  time. 

2  ADJUST  YOUR  IT  INFRASTRUCTURE 
TO  ACHIEVE  DATA  CONSISTENCY 

•  Opt  for  interoperability,  which  is 
achievable  these  days  in  two  ways: 

1)  Deploying  suites  that  include 
data  quality,  profiling,  integra¬ 
tion,  metadata  management  and 
other  key  data  functions  in  a 
single  platform 

2)  Adopting  open  standards  such  as 
XML  and  web  services,  J2EE  and 
.NET,  to  integrate  legacy  data 
and  systems  including  those  in 
other  enterprises. 

•  Employ  a  scalable  architecture  and 
platform  environment,  so  you  can 

adapt  to  evolving  business  condi¬ 
tions,  manage  large  amounts  of  data 


and  respond  to  growing  data  vol¬ 
umes  and  integration  requirements. 

^  KNOW  THY  DATA 

•  Understand  how  your  business 
creates  its  information,  including 
how  data  emerges  from  the  ways 
your  business  touches  its  customers 
and  prospects. 

•  Apply  a  single  enterprise  wide  set 
of  business  rules  to  the  integration 
of  all  customer  data,  regardless  of 
its  source  or  use. 

IMPROVE  THY  DATA 

By  developing  new  ways  to  use  it,  like 
combining  real-time  customer  data 
with  customer  transaction  histories, 
demographic  data  and  financials,  com¬ 
panies  will  find  that  their  data  yields 
better  and  more  useful  insights,  all  in 
support  of  the  legendary  360-degree 
view  of  the  business  and  its  customers. 

“To  create  trusted  information,” 
says  Mark  Battaglia,  senior  vice  presi¬ 
dent  of  marketing  at  Initiate  Systems, 
“CIOs  must  become  as  vigilant  about 
data  integrity  and  data  integration  as 
they  are  about  data  storage  and  data 
movement.” 


STRATEGIC  DIRECTIONS  21 


ADVERTISING  SUPPLEMENT 


orative  neighboring  units.  “Data  is  the  fuel  of  the  on- 
demand  enterprise,”  says  Mark  Battaglia,  senior  vice 
president  of  marketing  at  Initiate  Systems.  “Without 
accurate,  up-to-the-moment  data,  on-demand  just 
enables  you  to  make  mistakes  faster.” 

And  as  more  data  get  created  with  each  passing 


WHAT'S  IN  A  BYTE? 

Gigabyte  =  1,000,000,000  bytes  (109  bytes) 

Terabyte  =  1,000,000,000,000  bytes  (1012  bytes) 

1  Terabyte  =  50,000  trees  made  into  paper  and  printed 

Petabyte  =  1,000,000,000,000,000  bytes  (1015  bytes) 

200  Petabytes  =  production  of  digital  magnetic  tape  in  1995 

Exabyte  =  1,000,000,000,000,000,000  bytes  (1018  bytes) 

2  Exabytes  =  total  volume  of  information  generated  world¬ 
wide  annually 

5  Exabytes  =  all  words  ever  spoken  by  human  beings 

Zettabyte  =  1,000,000,000,000,000,000,000  bytes  (1021 
bytes) 

Yottabyte  =  1,000,000,000,000,000,000,000,000  bytes 
(1024  bytes) 


minute,  it’s  no  longer  practical  for  organizations  to 
use  third-generation  languages  (3GLs)  and  scripts  to 
hand-code  the  extract-transform-load  (ETL)  work 
that  underlies  their  data  integration 
initiatives. 

These  days,  ETL— -still  at  the  heart 
of  data  integration — encompasses 
several  core  capabilities: 

•  Automated  data  profiling  to 
uncover  source  data  structure  and 
content 

•  Assuring  consistent  data  quality 

•  Strong  ETL  functionality  that  can 
integrate  data  from  any  source  and 
load  it  to  any  target 

•  End-to-end  metadata  management  so  there’s  uni¬ 
formity  in  the  ways  an  organization  defines,  tracks 
and  manages  its  data 

•  Scalability  to  handle  integration  tasks  involving  bal¬ 
looning  data  volumes  and  shrinking  time  frames 
“Hard  returns  related  to  data  cleansing  efforts  often 

come  from  the  reduction  or  elimination  of  the  labor 
costs  associated  with  hand-coding  data  cleansing 
applications  and  manual  reconciliation  of  individual 
records,”  says  Pete  Fiore,  president  of  Ascential 


Software.  “Productivity  gains  delivered  by  automat¬ 
ing  previously  manual  processes  are  substantial,  espe¬ 
cially  in  view  of  the  increasing  demand  to  profile  and 
cleanse  data  in  large  scale  across  the  enterprise.” 

For  example,  WesTrac  Equipment,  an  Australian 
dealer  for  Caterpillar,  needed  its  SQL  Server-based 
purchasing  application  to  interact  with  other  busi¬ 
ness  applications  and  numerous  web  applications 
required  database-resident  business  information  in 
real  time.  DataMirror’s  Transformation  Server  did 
the  trick,  delivering  ROI  faster  than  WesTrac 
expected:  the  three-year  ROI  of  the  measured 
WesTrac  applications  and  services  that  rely  on 
Transformation  Server  is  roughly  $3  million. 

Customer  Data  Integration 

Much  of  business  and  IT  integration  contributes  to 
enterprise  cost  savings  that  improve  the  bottom  line. 
Adding  to  topline  revenues,  however,  is  another  matter. 

For  many  companies,  a  first  step  to  boosting  rev¬ 
enues  is  improving  the  quality  of  its  customer  data: 
when  you  know  who  your  customers  are  and  how 
you’ve  interacted  with  them,  you  can  identify  the 
most  profitable  products,  relationships  and  strategies. 

“Obtaining  an  accurate,  single  view  of  the  enter¬ 
prise,  including  external  relationships,  can  directly 
translate  into  expanded  and  longer  relationships 
with  less  attrition,”  says  Ascential’s  Fiore. 

But  launching  an  enterprise-wide  data  quality  ini¬ 
tiative  can  be  complex  and  resource-intensive  in  its 
own  right.  It  requires  that  you  deal 
not  just  with  data  volume,  but  also: 

•  The  many  and  varied  channels 
through  which  customer  data 
flows 

•  Customers’  high  mobility — direct 
marketers  estimate  that  about  2 
percent  of  a  typical  consumer 
database  “goes  bad”  each  month 

•  The  lack  of  integration  among 
systems  and  applications 

•  A  growing  collection  of  regulations  and  compli¬ 
ance  requirements  that  drive  how  data  is  collected, 
used,  stored  and  secured 
“Regulatory  or  legal  requirements  such  as 
Sarbanes-Oxley  or  HIPAA  are  the  impetus  for  a  bet¬ 
ter  understanding  of  data  quality  and  its  impact  on 
the  business,”  Fiore  says.  “The  mandate  for  better 
corporate  governance  and  financial  transparency  has 
also  been  a  significant  driver  and  has  raised  the 
stakes,  because  poor  data  hygiene  can  result  in  crimi¬ 
nal  and  civil  penalties.”  SD 


22  STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


The  Ascential  Dialogue 

Essential  Insights  on  Enterprise  Data  Integration 


About  Data  Integration: 

Challenges-and  Solutions 


Pete  Fiore  is  President  of  Ascential 
Software.  If  you  have  a  question 
for  Pete,  please  send  it  to: 
ascential.  dialogue@ascential.  com 

Why  does  data  integration 
always  come  up  as  one  of 
the  top  issues  on  the  minds 
of  CIOs? 

Well,  every  company  needs  inte¬ 
grated,  accurate  and  reliable 
data  to  make  the  right  business 
decisions.  The  importance  of 
data  in  this  mix  is  really  driven 
by  fundamental  business  issues 
that  IT  departments  need  to  be 
in  front  of. 


What  Do  You  Think? 

Ascential  Software  wants  to 
know  what's  on  your  mind  re: 
data  integration-and  give  you 
the  chance  to  compare  your 
answers  with  those  of  your 
peers.  Go  to  the  URL  below  to 
answerthis  question  and  bench¬ 
mark  your  response: 

"Which  Business  Drivers  are 
Creating  The  Most  Demand  for 
Integration?" 

A.  Regulatory  Compliance 
(eg.  Sarbanes  Oxley) 

B.  Cost  Reduction 

C.  Business  Intelligence 

D.  Single/Accurate  View  of 
Enterprise  Data 

E.  ERP/CRM  Implementations 

F.  Other  [fill-in] 

www.ascential.com/ survey  / 


Today’s  Top 

CIOs  are  being  asked  to  deal 
with  issues  such  as:  Sarbanes 
Oxley  compliance;  Basel  II  in 
financial  services;  creating  IT 
efficiencies  by  consolidating  an 
organizations  view  of  their  criti¬ 
cal  data;  and  cost  reduction 
through  application  and  infra¬ 
structure  consolidation.  When 
you  think  about  it,  data  is  one  of 
the  most  valuable  corporate 
assets  that  a  company  has. 
Business  leaders  recognize  that 
in  a  world  of  increased  account¬ 
ability,  the  decisions  they  make 
must  be  based  on  data  they  have 
confidence  in.  So  you  see  com¬ 
panies  demanding  a  robust  data 
infrastructure  that  critical  busi¬ 
ness  decisions  can  be  based  on. 

So  how  do  you  define  data 
integration? 

Data  Integration  is  about  bring¬ 
ing  together  data  from  all  the  dif¬ 
ferent  sources,  systems,  and 
applications  that  are  used  around 
an  enterprise,  and  assembling 
that  data  into  a  valuable  and 
reusable  information  asset  to 
drive  business  initiatives. 

Data  integration  provides  an 
organized,  repeatable  and  con¬ 
tinuous  process  that  assures 
thatthe  information  an  enter¬ 
prise  relies  upon  is  coherent, 
accurate,  up  to  date— even  up  to 
the  minute  or  instant— and  that 
this  information  is  readily  avail¬ 
able  in  the  required  form  to  all 
the  applications  that  need  it. 

The  IT  executives  we  talk  to 


believe  the  necessary  steps  to 
integrating  data  include:  data 
profiling-discovering  where 
your  data  is  distributed  through¬ 
out  the  organization  and  how  it 
is  structured;  data  quality¬ 
ensuring  it  is  accurate  and  reli¬ 


able;  and  data  transformation¬ 
putting  itin  the  right  formats 
and  systems  when  needed.  All  of 
this  needs  to  be  available  within 
a  Service  Oriented  Architecture, 
be  built  on  a  scalable  platform 
and  mustinclude  meta  data 
management  and  sharing. 

How  should  a  CIO  build  & 
sell  a  business  case  for 
a  new  data  integration 
initiative? 

First,  look  across  the  various 
business  units  in  your  organiza¬ 
tion.  Most  likely,  there  are 
already  a  number  of  business  ini¬ 
tiatives  underway  that  will  bene¬ 
fit  from  a  common  data 
integration  infrastructure. 

Once  these  initiatives  are  identi¬ 
fied,  we  suggest  researching 
comparable  projects  outside  your 
enterprise  to  quantify  the  poten¬ 
tial  business  and  IT  benefits  and 
overall  impact  to  your  organiza¬ 
tion.  The  good  news  here  is  that 


data  integration  delivers  very 
tangible  and  rapid  return  on 
investment.  The  case  will  be  eas¬ 
ier  to  document  and  sell  if  you 
can  partner  with  a  vendor  who 
has  completed  similar  projects. 

As  you  build  your  case,  make 


sureitincludes  all  the  compo¬ 
nents  necessary  to  implement 
an  effective  data  integration 
project,  including  architecture, 
methodology,  software  plat¬ 
form,  and  best  practices.  Before 
presenting  the  case  to  senior 
management,  share  it  with  vari¬ 
ous  business  stakeholders  in 
your  organization  to  get  feed¬ 
back  and  buy-in,  address  spe¬ 
cific  concerns,  and  fill  in  any 
unforeseen  gaps. 

INTEGRATION  RESOURCE 

For  a  free  copy  of  the  report, 
"The  Essential  Guide  to 
Accessing,  Consolidating  and 
Trusting  Your  Data 
please  visit 

www.ascential.com/guide/ 

/Ascential 

Software 


“BUSINESS  LEADERS  recognize  that  in  a 
world  of  increased  ACCOUNTABILITY, 
the  DECISIONS  they  make  must  be  based 
on  DATA  they  have  CONFIDENCE  in." 


Making  decisions  with  only  half 
the  information  is ...  useless. 

SOA  is  a  moot  point  if  you  don't  include  your  legacy  systems 


There  are  a  lot  of  vendors  claiming  they  can  solve  integration 
issues,  but  very  few  have  the  know-how  to  actually  get  to  the 
heart  of  your  business-your  legacy  system.  And  if  you  can't 
get  all  the  information, your  plans  for  smooth  integration 
and  a  service-oriented  architecture  come  to  a  standstill. 

Our  time-proven  technology  lets  you  SOA-enable  your  host, 
so  you  can  respond  to  new  business  demands  economically, 
by  maximizing  the  investments  you've  made  in  your  legacy 
assets  over  the  years.  Without  taking  unnecessary  risks. 

For  useful  information,  download  the  IDC®  ROI  white  paper 
at  www.attachmate.com/useful. 


attachmate 


©  2004  Attachmate  Corporation.  All  Rights  Reserved.  Attachmate  is  a  registered  trademark 
of  Attachmate  Corporation.  IDC  is  a  registered  trademark  of  International  Data  Croup. 


It’s  OK  to  show  off  to  your 
friends  that  you  were  in  CSO. 


Th»  CybeisccurUy  Outlook:,Dcconstfuctirg  DHS.'Pfrt  I! 


tmc  <iesi>u«ci  ton  sctumrr  MKurivFs 


Health-care 
CISOs  share 
compliance 
best  practices 


EASING 


But  it’s  even  better  to 
show  your  customers. 


What  better  way  to  inform  your  key  customers 
of  your  editorial  coverage  in  CSO  than  through 
customized  Editorial  Reprints? 

Leverage  the  positive  impact  of  your  editorial 
coverage  by  using  reprints  for  direct  mail 
campaigns,  seminar  promotions,  employee 
communications,  recruiting  and  marketing 


programs.  Let  us  enhance  your  reprints  with  your 
company’s  logo,  address,  and  sales  message. 
Reprints  make  great  SALES  tools  for  trade  shows, 
mailings  or  media  kits. 

And  while  a  framed  copy  of  your  article  will  look 
neat  on  your  wall,  it  will  look  even  better  in  the 
hands  of  your  customers. 


CSO 

The  Resource  for 
Security  Executives 


iCopyright 


For  more  information  on  customized  editorial  reprints  in  volume  quantities,  contact  Jackie 
Day  at  651.582.3856  or  email  jjd@rsic0pyright.c9m. 


CSO  Undercover 


£  f»’ 


, 


Keeping  Your 
Business  Clean 

Take  this  quiz  to  test  the  ethical  health  and  well-being  of 
your  business  By  Anonymous 


COLLEGE  PAL  OF  MINE— a  corporate  lawyer  at  a  major,  publicly 
traded  company— has  been  watching  all  of  the  corporate-integrity  meltdowns 
from  his  not-so-distant  vantage  point.  Just  for  fun,  he  helped  me  devise  a  quiz  of 
sorts  to  check  out  the  “uprightness”  of  my  own  situation  at  my  company.  I  was 
shocked  and  disturbed  enough  with  my  results 
to  share  them  here  (under  the  protection  of 
anonymity,  of  course). 

Maybe  I’m  a  good  Samaritan,  but  I  care 
about  America’s  corporations,  and  I  hope  our 
times  offer  an  opportunity  to  change  some 
thinking.  Take  this  little  corporate  hygiene  quiz 
with  a  few  of  your  trusted  business  pals  over  a 
latte  or  two.  And  since  catharsis  is  good  for  the 
soul,  I’ll  share  my  answers  with  you  here.  I  used 
a  scale  of  one  (not  so  much)  to  five  (absolutely) 
to  get  a  numerical  sense  of  where  I  stood. 

To  start,  does  your  business  depend  on  a 
complex  technical  environment  with 
significant  uptime  reliability? 

Aren’t  we  all  increasingly  reliant  on  a  net¬ 
worked  environment  with  nodes,  access  points 
and  critical  intersections  in  places  that  we  can’t 
see  or  control?  Uptime  reliability  is  important 
for  everybody  these  days,  but  it’s  an  expected 
cornerstone  of  businesses  that  feel  they  need  to 
hire  a  CISO.  I  give  myself  a  four  on  this  one. 

Does  your  company  have  operations  in 
any  country  below  the  equator? 

Many  U.S.  companies  have  core  business  processes  located  in  countries  below  the 
earth’s  beltline.  Security  risks  exist  there  that  make  knowledgeable  security  pro¬ 
fessionals  twitch  every  time  their  phone  rings:  kidnappings,  corruption,  incom¬ 
petent  and  criminal  law  enforcement,  Internet  crime,  organized  crime,  drugs, 
money  laundering,  an  overall  unsafe  environment  with  too  many  Foreign  Corrupt 
Practices  Act  temptations.  But  what  are  you  going  to  do?  The  labor  is  cheap  and 
we  have  to  be  competitive.  My  company  is  moving  in  that  direction  but  not  there 
whole  hog  yet.  So  I’ll  give  us  a  three  on  this  one. 


Would  you  characterize  the  velocity  of  your 
company’s  business  as  high-speed? 

How  about  warp  speed?  How  else  can  we  continue  to 
satisfy  Wall  Street  and  our  fickle  shareholders?  We’re  all 
being  pushed  to  do  more  with  less.  And  there’s  so  much 
going  on  in  the  back  draft  of  this  fast  pace,  I  wonder 
what  the  hell  else  I’m  missing.  I’ll  take  a  five  on  this  one. 
I’d  take  a  six  if  it  were  allowed. 

Do  you  forgo  a  criticality  rating  to  identify  short¬ 
comings  in  business  controls  and  security  measures? 

With  all  the  open  books  and  disclosure  emphasis  these 
days,  the  lawyers  are  really  nervous  about  recording  any 
risk  information  that  could  come  back  to  haunt  us.  As  a 
security  professional,  I’ve  always  lived  with  criticality  rat¬ 
ings— it’s  all  about  the  likelihood  of  problems  we  need  to 
be  prepared  to  address.  But  I  know  for  a  fact  that  we 
have  no  organized  process  for  doing  this  across  the  busi¬ 
ness.  In  the  aftermath  of  Sarbanes-Oxley,  our  auditors 

now  rank  their  findings;  but  that’s 
ex  post  facto  and,  besides,  an  audit 
is  cyclical  and  periodic.  This  is  all 
about  what  keeps  knowledgeable 
risk  managers  awake  at  night  and 
what  we  are  missing.  I’d  better 
take  a  four  (and  hope  for  the  best). 

Does  your  corporate  risk- 
management  model  discourage 
individual  managers  from 
seeking  out  vulnerabilities  in 
the  system  of  controls? 

My  company  doesn’t  have  a  risk- 
management  model,  per  se— and 
then  blame  is  typically  parceled  out 
to  the  lowest  common  denomina¬ 
tor.  I’ll  take  a  four  on  this  one,  too. 
(This  isn’t  shaping  up  well  is  it?) 

Are  managers  ill-informed 
about  what  to  look  for  on 
control  deficiencies  or  cues 
on  risky  behavior? 

There’s  not  a  lot  of  sharing  here, 
especially  concerning  errors  or  inci¬ 
dents.  After  all,  who  wants  to  shoot  themselves  in  the  foot? 
We  have  an  active  infosecurity  awareness  program,  but  it 
hasn’t  been  integrated  into  any  of  the  training  and  employee 
development  programs  we  ran  on  a  continuous  basis.  HR 
owns  management  training,  but  it  doesn’t  recognize  that 
the  manager’s  job  has  a  core  risk-management  compo¬ 
nent.  And  what’s  the  first  question  out  of  the  CEO’s  mouth 
when  it  hits  the  fan?  “Who’s  the  manager  of  this  disaster?” 


58  www.csoonline.com  June  2004 


ILLUSTRATION  BY  DAN  PAGE 


Major 

Password 


Headache 


Learn  how  major  corporations,  major  government  agencies, 
even  a  Major  League  Baseball  team  obtain  relief. 

Using  DigitaiPersona®  Pro  fingerprint-based  Total  Password  Automation 
you  can  simplify  authentication  and  improve  security.  You  can  even 
reduce  password  management  costs  by  as  much  as  90%. 


DigitaiPersona  Pro 

■  Server  controlled  fingerprint  authentication 

■  Total  Password  Automation  for  network, 
application  and  web  access 

■  Easy  Microsoft®  Active  Directory  integration 

■  Superb  performance 

Simple//Secure//Superb 
Fingerprint  Authentication  Solutions 
Learn  more  at  DigitalPersona.com 


DigitaiPersona  is  the  registered  trademark  of  DigitaiPersona,  Inc.  in  the  United  States  and  other  countries.  All  rights  reserved.  Microsoft  is  the  registered  trademark  of  Microsoft  Corporation 


I  can’t  vouch  for  manager  awareness  across  the 
board.  So  let’s  score  a  three  here. 

Are  there  unaddressed  vulnerabilities  in 
your  company’s  safeguards  or  other  such 
exposures  that  could  be  exploited? 

The  fact  that  this  question  has  to  be  included 
speaks  volumes  about  the  maturity  of  risk 
management.  Of  course  there  are  known 
gaps!  And  it's  the  people  who  work  here  who 
know  where  to  find  the  holes.  The  guy  who  is 
empowered  to  do  you  the  most  damage 
already  works  for  you.  The  developers  leave 
open  doors  in  our  applications,  and  our  LAN 
administrators  have  the  keys  to  the  kingdom. 
There’s  no  one  place  where  all  the  data 
comes  together  to  enable  those  of  us  on  the 
firing  line  to  see  where  the  interconnections 
and  interdependencies  may  exist.  Besides,  I 
get  paid  to  think  about  “what  if,”  so  scoring 
anything  less  than  a  five  would  be  dishonest. 

Do  you  worry  whether  the  people  your 
company  hires  in  sensitive  positions 
(supply  here  your  local  definition  of 
“sensitive”)  tell  the  truth  about  their 
personal  and  professional  histories? 

I  know  damn  well  they  aren’t  truthful 
because  I  do  the  background  investigations. 
The  problem  is  that  we  manage  this  process 
for  HR  on  selected  hires;  and  if  the  hiring 
manager  is  senior-level  enough  or  the  posi¬ 
tion  critical  enough,  a  candidate  with  a  bad 
background  will  get  hired  anyway.  I’ve  kept 


score  on  these  bad  hires,  and  about  two- 
thirds  of  them  are  gone  after  two  years— a 
number  of  them  because  they  didn't  have  the 
competencies  that  they  advertised  coming 
in.  I  also  know  that  they’ve  lied  through  their 
teeth  concerning  their  prior  compensation 
to  pick  our  pocket.  But  I  really  worry  about 
the  day  when  the  press  gets  wind  of  serious 
malfeasance  by  someone  on  the  payroll  for 
whom  we  have  a  derogatory  background 
report.  The  process  here  is  a  farce,  but  I’ve 


been  unsuccessful  so  far  in  my  attempts  to 
influence  it.  So  I’ll  take  a  solid,  but  unapolo- 
getic,  five  here. 

Does  your  company  outsource  any 
business  processes  that  contain  sensitive 
information  or  other  valued  assets? 

All  our  customer  communication  is  through 
a  vendor-based  phone  center  in  another 
country.  Our  legal  department,  purchasing 
and  facilities  are  also  all  contracted  out.  And 
now  I  hear  that  they  are  entertaining  the 
thought  of  having  HR  outsourced  along  with 
significant  elements  of  our  IT  infrastructure. 
I’m  turning  into  more  of  a  contract  manager 
than  a  security  officer.  We  have  become  more 
of  a  virtual  corporation  than  real  one.  And 
the  numbers  guys  love  it!  I  know  that  these 
vendors  see  some  of  our  most  private  infor¬ 
mation  and  business  processes.  Since  I’m 
paid  to  worry,  I’ll  give  us  a  four. 

Has  your  company  failed  to  perform 
due  diligence  on  its  vendors’  systems  of 
control  over  company  assets? 

I’ve  gone  through  the  procurement  files  on 
several  recent  deals.  The  only  evidence  of 
any  due  diligence  was  financial  in  nature.  Of 
the  five  files  that  I  examined,  only  one  had 
executed  a  nondisclosure-confidentiality 
agreement.  Of  greater  concern  was  the  total 
absence  of  a  technical  due  diligence  for  three 
vendors  that  provide  software  development 
and  sales  support  services.  Both  situations 


allow  online  access  to  highly  sensitive  pro¬ 
prietary  information.  Moreover,  these  ven¬ 
dors  are  on  our  network,  and  we  don’t  have 
a  clue!  Anything  less  than  a  five  here  is  kid¬ 
ding  myself. 

Do  messengers  of  bad  news  get  shot? 

And  is  there  a  reluctance  to  escalate 
concerns  on  integrity  to  senior  man¬ 
agement? 

Think  about  why  Time  magazine  selected 


three  whistle-blowers  as  its  Persons  of  the 
Year  for  2002,  or  why  Sarbanes-Oxley 
needed  to  repeat  the  whistle-blower  protec¬ 
tion  put  forth  a  mere  10  years  earlier  in  the 
Corporate  Sentencing  Guidelines.  And  isn’t 
it  interesting  that  Sarbanes-Oxley  put  special 
emphasis  on  the  protection  (nay,  encour¬ 
agement)  of  lawyers  and  auditors  for  report¬ 
ing  wrongdoing? 

You  might  think  the  bigger  the  fish,  the 
greater  the  disappointment  for  transgres¬ 
sions.  Not  so.  I’ve  noted  along  the  way  that, 
when  it’s  a  little  fish  on  the  hook,  senior  man¬ 
agement  pauses  only  long  enough  to  consider 
whether  to  fry  it  or  bake  it.  Catch-and-release 
for  the  select  few  (the  big  guys)  is  more  often 
the  case.  It  is  a  fraternity  after  all.  And  CSOs 
learn  quickly  that  they  have  to  build  a  bullet¬ 
proof  case  for  the  chosen  ones.  Sad  to  say, 
I’m  inclined  to  look  the  other  way  on  this  one 
and  give  us  a  three. 

When  things  go  wrong,  are  the  lessons 
learned  vastly  ignored? 

Unfortunately,  yes.  Why  would  a  success- 
oriented  executive  put  his  reputation  on  the 
line  and  ’fess  up  to  a  big-time  boo-boo? 
Think  about  it.  That’s  why  it  has  to  fall  to  the 
governance  organization  to  complete  the  cir¬ 
cle.  The  audit  committee  is  a  wonderful  place 
to  get  things  on  the  record  that  can’t  easily  be 
trashed,  especially  in  this  post-Enron  busi¬ 
ness  environment.  But  if  you  continue  to 
shoot  the  messengers,  how  do  you  expect  to 
calculate  anything  in  sufficient  enough  detail 
for  the  auditors?  It’s  tricky,  but  there  is  a  real 
incentive  from  Sarbanes-Oxley  to  protect 
data.  Score  us  a  four  on  this  one. 

So,  what’s  your  tally?  You  had  12  ques¬ 
tions  that  could  have  given  you  a  possible 
score  of  12  to  60  points  in  total.  I  scored  a 
49— which  puts  me  into  the  80th  percentile 
on  the  bad  side  of  the  equation.  Am  I  con¬ 
cerned?  Hell  yes!  But  I  just  got  my  bonus 
check.  And  I’m  going  to  take  the  advice  of  my 
lawyer  friend  and  burn  these  results.  On  sec¬ 
ond  thought— given  what  this  says  about  our 
risk  and  ethical  environment— I  think  I’ll 
take  a  harder  look  at  those  job  opportunities 
on  CSOonline.com.  ■ 

This  column  is  written  anonymously  by  a  real  CSO.  E-mail 
reader  feedback  to  csoundercover@cxo.com. 


When  it’s  a  little  fish  on  the  hook,  senior 
management  pauses  only  long  enough  to 
consider  whether  to  fry  it  or  bake  it. 


60  www.csoonline.com  June  2004 


Hire 


The  CIO’s  Knowledge  Marketplace 


ci<> 

Slot® 

co^ 


You  need  information  and  you  need  it  now. 

Don’t  waste  your  valuable  time  searching  high  and  low.  When  you  need  to  get 
your  to-do  I  ist  done,  come  to  the  one  site  that  has  it  al I .  From  strategies 
and  roles  to  technologies  and  tools,  the  CIO  Store 
offers  the  best  collection  of  research,  reports  and 
expert  advice  anywhere.  You  can  depend  on  the 
full  range  of  resources  offered  at  the  CIO  Store. 

The  Resource  for 

The  CIO  Store-when  you  need  to  get  smart,  fast.  Information  Executives 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and 
Services 

CSO  Sales  Offices 

President  and  CEO 
Walter  Manninen  •  508  935-4101 
Group  Publisher 
Gary  J.  Beach  •  508  935-4202 
Publisher  Bob  Bragdon  •  508  935-4443 
Executive  VP  Sales/Custom  Publishing 
Ellen  Romanow  •  508  935-4796 
East  Coast 

East  Coast  Regional  Manager 
Roz  Burke  •  508  935-4163 
Regional  Sales  Director 
Kathy  Powers  •  201  634-2331 

Midwest 

Regional  Sales  Director 
Robert  E.  Sawdon  •  512  306-9801 
Senior  District  Sales  Manager 
Beth  DeVillez  •  847  441-3140 

West  Coast 

Western  Regional  Sales  Manager 
Mary  Sinclair  •  415  975-2691 
Senior  Regional  Sales  Manager 
Jane  Evans  •  415  975-2680 
Senior  Regional  Sales  Manager 
Ai  Collins  •  415  975-2686 
Senior  Account  Executive 
Isaac  Ugay  •  949  475-5579 

List  Services 

List  Services  Director 
Kathryn  A.W.  Marston  •  508  935-4072 
List  Services  Account  Executive 
Stephanie  Roy  •  508  935-4151 

Online  Services 

VP/Online  Sales 
Lisa  Brown  •  508  935-4470 
Online  Sales  Manager 
Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director  Michael  Siggins 
Director  Mary  Gregory 
Director  of  Content  Development 
Tom  Field 
Project  Managers 
John  Danielowich,  Amy  Greenleaf 


Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Senior  Production  Coordinator 

Lisa  Stevenson 

Executive  Programs 

EP  Senior  Vice  President  Jennifer  Richards 

Conference  Management  VP 

Cynthia  Mollus 

Marketing  Services  Director 

Shellie  Rapson  James 

Business  Development  VP  John  Amato 

Business  Development  Director  John  Vulopas 

Content  Development  Manager  Lafe  Low 

Program  Operations  Manager  Brian  Fuce 

Marketing  Manager  Glede  Kabongo 

Marketing  Design  Specialist 

Andrea  Slobogan 

Senior  Client  Relations  Specialist 

Sandra  J.  Hughey 

Senior  Logistics  Coordinator  Michael  Barbato 
Event  Planning  Director  Amy  Turell 
Senior  Customer  Service  Coordinator 
Sarah  Yee 

Marketing 

Executive  VP/Marketing 

Cathy  O'Leary  Hayes 

VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
Program  Administrator  Lori  Piscatelli 
Marketing  Research  Director 
Bridget  Cammarata 
Marketing  Research  Manager 
Carolyn  Johnson 
Marketing  Research  Manager 
Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Specialists 
Sarah  Crowley,  Kara  Murphy 
Marketing  Comm.  Coordinator 
Lynn  Holmlund 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescaro 

Reprint  Services 

For  article  reprints  (500  quantity  or  more), 
please  contact  Jackie  Day  at  RSiCopyright 
at  651 582-3856  or  e-mail  csoreprints@ 
rsicopyright.com.  For  further  sales  infor¬ 
mation,  visit  www.csoonline.com/reprints/ 
index.html. 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208,  508  872- 
0080. 

Postal  Information 

CSO  (ISSN  1540-904X)  is  published 
monthly  by  CXO  Media  Inc.,  492  Old  Con¬ 
necticut  Path,  P.O.  Box  9208,  Framingham, 
MA  01701-9208.  Periodicals  Postage  Paid 
at  Framingham,  MA  01701,  and  at  additional 
mailing  offices,  Canadian  Publications  Mail 
agreement  number  1902075.  CANADIAN 
POSTMASTER:  Please  return  undeliverable 
copy  to  P.O.  Box  1632,  Windsor,  ON 
N9A7C9. 

Permissions 

Copyright  2004  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  requests  to  Andrew  Burrell, 
CXO  Media  Inc.,  492  Old  Connecticut  Path, 
Framingham,  MA  01701.  Telephone  508 
935-4785.  E-mail  aburrell@cxo.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy 
of  the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970.  Please 
specify:  ISSN  1540-904x.  Permission  to 
photocopy  does  not  extend  to  contributed 
articles  followed  by  this  symbol:  $. 

Subscriptions 

Address  inquiries  to  CSO.  P.O.  Box  3482, 
Northbrook,  IL  60065:  866  354-1125.  CSO 
is  free  to  qualified  information  executives. 

To  all  others  the  one-year  basic  rate  is  $90 
for  the  United  States  and  Canada,  $115  to 
foreign  countries  (payable  in  U.S.  funds 
only).  The  single  copy  price  is  $9.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


Index  of 
Companies  and 
Advertisers 

Page  numbers  refer  to  the  first  page  of  the 
article(s)  in  which  the  company  has  a  substan¬ 
tial  mention.  This  index  is  provided  as  a  service 
to  readers.  The  publisher  does  not  assume  any 
liability  for  errors  or  omissions. 


Company  Index 

Adobe  Systems  Inc . 53 

Akonix  Systems  Inc . 53 

Allied  Security  Inc . 44 

Alta  Associates  Inc . 40 

America  Online  Inc . 53 

Apple  Computer  Inc . 53 

Beepcard  Inc . 13 

Bessemer  Group  Inc.,  The  . 40 

Bloomberg  LP  . 53 

British  American  Tobacco  PLC  . 34,44 

Center  for  Talent  Retention  . 34 

Change  Management  Group  . 34 

Comerica  Inc . 44 

Communicator  Inc . 53 

Computer  Sciences  Corp . 20 

Cyber-Ark  Software  Ltd . 44 

Delaware  North  Companies  Inc . 44 

eBay  Inc . 40 

Endeavors  Technology  Inc . 53 

FaceTime  Communications  Inc . 53 

IBM  Corp . 53 

iJet  T ravel  Risk  Management  . 13 

IMIogic  Inc . 53 

InfoTrends  Research  Group  Inc . 13 

Internet  Security  Systems  Inc . 13 

Intuit  Inc . 53 

Jabber  Inc . 53 

Korn/Ferry  International  . 34 

LenznerGroup  . 30,  40 

Levi  Strauss  &  Co . 30,  34 

MCI  Inc . 30 

Merck  &  Co.  Inc . 34 

Microsoft  Corp . 53 

Motorola  Inc . 40 

Network  Associates  Inc . 20 

Nokia  Corp . 13 

Novartis  AG  . 34 

Oracle  Corp . 13,  40 

Osterman  Research  Inc . 53 

Ouellette  &  Associates  Consulting  Inc . 44 

Parlano  Inc . 53 

PGP  Corp . 44 

Playmobil  USA  Inc . 13 

Raymond  James  Financial  Inc . 44 

Reuters  Group  PLC  . 53 

RSA  Security  Inc . 53 

Security  Risk  Solutions  . 40 

Sigaba  . 53 

SurfControl  PLC  . 53 

Washington  Mutual  Inc . 40 

Wells  Fargo  &  Co . 34 

Wolf,  Block,  Schorr  and  Solis-Cohen  LLP  . .  .34 
Yahoo  Inc . 53 

Advertiser  Index 

ADT  . 19 

Aladdin  Knowledge  Systems,  Ltd . 17 

Authenex  Inc . 23 

Computer  Associates  Inti.  Inc . C4 

CXO  Media  Inc . 25,  57,  61,  63 

Digital  Persona  . 59 

Enterasys  Networks  . 7 

Executive  Women's  Forum  . 52 

HID  . 3 

IBM  Corp . 28 

Information  Systems  Audit  and 

Control  Assoc . 21 

Internet  Security  Systems  . 8 

Lancope  Inc . C3 

Micromuse  Inc . 51 

Microsoft  Corp . 11 

Network  Associates  . 12 

Robert  Half  Technology  . 5 

RSA  Security  Inc . 15 

Sungard  Availability  Services  . 55 

Symantec  Corp . C2 

VeriSign  Inc . 33 


62  www.csoonline.com  June  2004 


c'  y 


Proudly  underwritten  by: 


Produced  by: 


cigital 


Cisco  Systems 


LOCKHEED  MARTI 

We  never  forget  who  we  re  working  for"1 


0 

OUNCE  LABS 


Symantec,. 


The  Resource  for 
Information  Executives 


cso 

The  Resource  for 
Security  Executives 


CXO  Media  Inc.  is  the  publisher  of  CIO  and  CSO  magazines 


Step  Away  from  the  Vehicle 


The  Alarmist 


Aaron  Friedman  is  a  twentysomething 
classical  music  composer  in  New  York  who 
used  to  describe  himself  as  "apolitical.” 

Then,  one  night  last  year,  one  of  those 
hyperstrident  car  alarms  jerked  him  out  of  a 
dead  sleep  in  his  Washington  Heights  apart¬ 
ment.  In  a  Wagnerian  fit,  he  went  online  that 
very  night  and  discovered,  to  his  bleary  dis¬ 
may,  that  as  a  security  measure,  blaring 
alarms  have  proven  utterly  ineffective  and 
worthless.  He’s  been  an  accidental  activist 
ever  since.  “Even  the  insurance  industry  has 
said  they've  studied  it,  and  they  can't  find  any 
evidence  the  alarms  prevent  theft,”  he  says. 
Friedman  has  put  off  his  composing  in  order 
to  push  legislation  in  New  York  City  that 
would  ban  the  audible  alarms,  which  shriek  at 
125  decibels— the  same  amount  of  noise 
you'd  hear  standing  100  yards  from  a  jet 
engine  revving  for  takeoff.  Debriefing  spoke 
with  Friedman  at  a  more  civilized  volume. 

Debriefing:  First,  let’s  play  word  association. 
What’s  the  first  word  that  comes  to  mind 
when  we  yell:  RRNNT  RRNNT!  WHOOOOO- 
OOOOOP  WHOOOOO-OOOOOP!  REWREW 
REWREW!  BLUE-DOO  BLUE-DOO! 

Aaron  Friedman:  [Laughs] 

What  is  the  status  of  the  legislation  in  New 
York  City? 

There  were  two  car  alarm  bills  reintroduced 
in  City  Council  this  year.  The  Council 
speaker  has  put  off  the  issue  a  number  of 
times,  but  now  the  mayor  is  planning  to 
revamp  the  city’s  noise  code  for  first  time  in 
30  years.  To  be  honest,  I’m  a  bit  confused  by 
all  of  it  right  now.  I  do  know  that  in  Vancou¬ 
ver,  Canada,  the  City  Council  is  doing  some¬ 
thing  similar,  and  it’s  expected  to  take  off. 


As  a  self-described  apolitical  person,  are  you 
frustrated  by  the  politics  of  all  this? 

I  didn't  intend  to  make  my  hatred  of  car 
alarms  into  a  political  fight.  I  thought  maybe 
I'd  be  able  to  explain  to  car  owners  what 
they  were  doing  and  they’d  listen,  and  then  I 
could  go  back  to  my  regular  life. 

Ha! 

Yeah.  There  were  just  too  many  individuals  I 
would  have  had  to  talk  to.  It's  funny  because 
there  are  many  issues  that  people  automati¬ 
cally  consider  political,  like  health-care 
costs.  They  expect  elected  officials  to  do 
something  about  it.  According  to  the  census, 
noise  pollution  is  the  number-one  complaint 
people  have  about  where  they  live.  More 
than  crime  or  the  quality  of  schools.  But,  for 
some  reason,  people  don't  make  it  political. 

Have  you  ever  had  car  alarm  rage,  we  mean, 
besides  the  night  you  rampaged  over  to  your 
computer  to  violently  research  the  problem? 

The  one  time  I  was  most  irate,  I  charged  into 
the  street  and  saw  someone  getting  into  the 
car  that  had  kept  me  up  all  night.  I  laid  into 
him  good.  But  it  turned  out  he  didn’t  speak 
English. 

We  have  a  brother  who  lives  in  Brooklyn  and 
who  is  a  graphic  designer.  He  complains 
about  the  same  thing.  Maybe  the  problem 
isn’t  the  alarms.  Maybe  it’s  all  you  artists  and 
your  creative  temperaments. 

It’s  interesting  because  I’ve  had  people  tell 
me  they  tune  it  out.  But  studies  show  that 
even  people  who  think  they’ve  gotten  used  to 
the  noise  haven’t.  They  show  higher  levels  of 
stress  hormones  and  higher  blood  pressure 
than  people  who  aren't  subjected  to  the  noise. 


Why  do  you  think  so  many  people  invest  in  a 
piece  of  security  that  doesn’t  work  at  all? 

Car  alarms  are  a  sales  scam.  I  think  there's 
a  macho  element  too.  People  like  the  idea  that 
it  will  draw  attention  when  they  walk  away 
and  do  the  "bloop-bloop”  with  their  key 
chains. 

Speaking  of  key  chains,  you've  noted  that  for 
$75  people  can  get  a  pager  for  their  key 
chain  that  vibrates  when  someone  messes 
with  their  car.  It’s  a  silent  and  possibly  more 
effective  solution  than  the  noisemakers. 
Brilliant  right?  Instead  of  a  town  crier  yelling 
out  the  time,  you  get  a  wristwatch.  But 
they’re  not  very  popular.  In  a  way,  I  think  it’s 
because  it  makes  you  responsible  for  your 
own  car.  An  alarm  puts  the  onus  on  every¬ 
one  who’s  hearing  it. 

Charles  Dickens,  among  others,  got  organ- 
grinders  banned  from  the  streets  of  London 
once  upon  a  time.  But  after  they  were  gone, 
people  missed  them.  Will  the  same  happen  if 
car  alarms  get  banned? 

No.  No  one  likes  the  sound  of  a  car  alarm. 

It's  purposefully  obnoxious.  I  can’t  wait  'til 
they’re  gone.  It  happens  all  the  time,  that 
when  I'm  researching  and  writing  on  car 
alarms,  a  car  alarm  goes  off.  And  I  think  to 
myself,  “Someday  I’ll  get  you,  my  friend.  You 
just  wait.”  It’s  almost  satisfying.  ■ 


64  www.csoonline.com  June  2004 


ILLUSTRATION  BY  STEPHEN  WEBSTER 


BRIDGING  THE  GAP 

BETWEEN  SECURITY  AND  NETWORK  OPERATIONS 


J  I 


]/j1  i 


WATCH 

By  Lancope 


Security  Through  Network  Intelligence™ 

Discover  how  StealthWatch™  by  Lancope,  the  next-generation  network  security  solution,  delivers 
behavior-based  intrusion  detection,  policy  enforcement  and  insightful  network  intelligence.  With 
integrated  visibility  across  network  security,  traffic  characteristics  and  host-level  activity, 
StealthWatch  provides  unparalleled  network  protection  and  optimization.  Download  the  white 
paper  ‘How  StealthWatch  Bridges  the  Gap’  from  www.lancope.com/whitepaper/cso. 


StealthWatch  and  Lancope  are  registered  trademarks  of  Lancope,  Inc. 
<92004  Lancope,  Inc.  All  rights  reserved. 


Lancope 


Computer  Associates® 


©2003  Computer  Associates  International,  Inc.  (CA).  All  rights  reserved. 


The  right  management  should  do  more  than  just  protect. 

It  should  also  enable. 

eTrust™  Security  Management  Software 

With  eTrust  security  management  software,  your  information  isn't  just  safeguarded  from  internal  and  external  threats. 
We  provide  authorized  customers,  partners,  and  employees  with  appropriate  access  that  can  help  your  business  grow. 
In  addition  to  securing  data,  eTrust  also  provides  a  single  view  of  your  security  environment,  so  you  can  make  real-time 
decisions  based  on  comprehensive  information.  If  you're  looking  for  ways  to  minimize  risk  while  maximizing  your 
potential,  or  to  get  a  white  paper,  go  to  ca.com/security. 


FREE 


RENEWAL! 


We  can’t  continue  to  send  you  CSO  without  your  completed 
application.  Don’t  risk  missing  an  important  issue  that  could 
affect  your  future  success— Renew  online  today.  It’s  quick, 
easy  and  costs  you  nothing! 

http://CSOONLINE.COM/RENEW/604 

Renew  today  and  you  won’t  hear  from  us 
for  another  12  months! 


R51W6' 


